Found the coinbase employee.
Yes, because you get verified on ERA by working in the crypto industry :)
I'd wager he's using their VPN is probably why.
Another good point -- these types of tools are usually gated on access from within their corp net, so VPN access would most likely be required. What's astounding is how they are still going when this has been happening for going on an hour now..it should be relatively easy to shut this down.
I can see internal tools allowing them to change passwords and turn off MFA, but I'm stretched to imagine how they could get around another company's SSO platform. Maybe i misunderstand the complexities. But your point about being able to impersonate users seems very plausible. I've gotten myself in hot water inadvertently doing that once upon a time
What I mean is, a Twitter employee had
their corporate Twitter SSO account compromised.
Once the "hacker" has access to the employee account via their compromised credentials and access to whatever MFA is required for Twitter employees, they now have the keys to the kingdom.
They can access the internal corporate network via Twitter's VPN, and access any internal/support/eng privileged tools that user has access to. These tools often times give you essentially "superuser" access to anyone's account, with the ability to "impersonate" that user, i.e. it will create a logged in session for you with that user's account in production Twitter without the need to actually go through the login flow that particular user has setup. This is usually helpful for debugging account-specific issues you can't troubleshoot otherwise.
All a guess. What is really weird is that, there must be extensive logging for this kind of stuff, so you'd think in this amount of time Twitter would have already figured out which account was doing this and revoked all its access..unless there is really something else.
He reset the emails&passwords of hundreds of verified twitters.
It'd be even more intriguing if they used an employee tool to just arbitrarily change emails and send password resets. Yikes.