As investigators look into the Twitter breach, other experts warn that savvy intruders could instead leave a trail of red herrings

As the Federal Bureau of Investigation looks into the cyberattack on
Twitter Inc.
last week, corporate security chiefs say the hours and days after a major hack yield important evidence for investigators piecing together how the incident occurred and what the company must do next.The immediate questions are, How did they get in? And what did they do? said Raj Badhwar, chief information security officer at Voya Financial Inc. We obviously plug that hole and stop the bleeding.
Twitters breach Wednesday blew up in public, with the verified accounts of influencers such as Barack Obama and Bill Gates urging users to send cash to cryptocurrency accounts. Security experts believe the attack might have focused on the companys internal account-reset systems, which are used to help users regain access after losing their phones or forgetting their passwords, The Wall Street Journal reported Thursday.
Confusion can reign during such high-profile incidents. As security teams evaluate data from across their systems, trying to find the vulnerability, early evidence can also lead investigators to false leads or dead ends, said Fredrick Lee, chief security officer for Gusto, a payroll and benefits platform formerly known as ZenPayroll Inc.
Thats also a tactic of an attacker, Mr. Lee said. If youre a good attacker, you want to compromise an insider and look like an insider to try and cover your tracks as much as possible.
Details of what happened to Twitter are emerging. The company has said attackers targeted certain Twitter employees through a social engineering schemetrickery or coerciongot through two-factor security measures and accessed internal systems. Of 130 accounts targeted, the company said, hackers were able to reset passwords, login and tweet from 45 of them.
For up to eight of the Twitter accounts involved, the attackers took the additional step of downloading the accounts information, the company said. It added later that none of the eight were verified users.
It could not be learned whether a Twitter staffer was actively involved in the breach or how much data was accessed.
Mr. Badhwar at Voya said the incident struck fellow security leaders as unusual.
When he heard about the account takeovers, he immediately consulted his intelligence network to learn more and looked for Twitters statements on the attack. Im surprised. Theyre a tech company, he said.
Related Video: High-profile Twitter accounts, including those of Barack Obama and Elon Musk, were the target of a widespread attack that security experts are calling the worst hacking incident in the company’s recent history. WSJs Euirim Choi reports on the hack, which looks different from other security breaches. Photos: Robyn Beck/AFP via Getty Images, Sean Gallup/Getty Images and Dado Ruvic/Reuters
Employees are often the weakest points in a companys defenses because they can fall for lures such as phishing emails, cybersecurity experts say, and attackers are increasingly turning to automation to blast them out en masse.
But insider threats can be hard to identify in real time, said Derek Manky, chief of security insights and global threat alliances at FortiGuard Labs, the research arm of cybersecurity firm
Fortinet Inc.
These insiders already have credentialed access to the network and services, so few, if any, alerts are triggered when they begin to behave badly, he said in an email. And given the increased amount of data already leaving the traditional network perimeter [with remote work], it is easier to hide data theft than ever before.
In a blog post Friday night, Twitter said its incident-response team temporarily locked many other accounts and internal tools last week to limit the attacks reach.
We are continuing our investigation of this incident, working with law enforcement, and determining longer-term actions we should take to improve the security of our systems, the company added.
The incident has underscored the dual, and at times divergent, security calculations of companies that cater to both consumers and enterprises, cybersecurity experts say.
Mr. Lee, formerly the head of information security at Square Inc., which is also run by Twitter Chief Executive Jack Dorsey, said companies should install preventive measures such as requiring multiple employees to access customers accounts during troubleshooting.
What that does is it raises the attack cost, because, as an attacker, it means that I have to compromise two individuals inside of a company, and not just one, he said.
While the added layer of security can create new hurdles for individual users seeking to fix problems, Mr. Lee added, it might also reduce the possibility of costly or embarrassing breaches.
When you introduce friction, you have to be thoughtful about it, he said.
Write to David Uberti at david.uberti@wsj.com and Kim S. Nash at kim.nash@wsj.com