In a statement, Warren said that the FBI and the US Department of Justice had found the suspect in Hillsborough County after a "complex, nationwide investigation". The outlet said the teen was charged with 17 counts of communications fraud, one count of fraudulently using personal information, and 10 counts of fraudulent use of personal information, one count of access to an electronic device without authority, and one count of organized fraud.
Twitter said that the sites entire system was targeted in the hack, now the company has confirmed that the hack was a "phone spear phishing attack" that targeted a small number of Twitter employees.
Prosecutors allege the July 15 scheme "stole the identities of prominent people" and "posted messages in their names directing victims to send Bitcoin" to accounts that were associated with the Tampa teen.
According to a Reuters report, over 1,000 Twitter contractors and employees had access to the company's internal tools before the attack.
He then posted tweets from numerous accounts claiming that they wanted to "give back to the community" and would double Bitcoin donations sent to an attached address. The internal tools were used to target 130 accounts, and for 45 of those accounts, hackers initiated a password reset and had full access to the account to send tweets.
"To make sure that we understand, he compromised the security of a Twitter employee, which allowed him to gain access to Twitter's internal accounts and control", Warren told reporters Friday. Dutch anti-Islam lawmaker Geert Wilders has said his inbox was among those accessed.
Twitter says that it has "significantly" limited employees' access to its internal systems and support tools during the ongoing investigation and that it expects response times to some user reports and support needs to be slower until normal operations will be resumed.
'When the worker called the number they might have been taken to a convincing (but fake) helpdesk operator, who was then able to use social engineering techniques to trick the intended victim into handing over their credentials, ' Clulely wrote on his blog on Friday.
It's also possible the hackers pretended to call from the company's legitimate help line by spoofing the number, he said.