Especially if the hacker is not from the US it seems much easier to do the bitcoin hack than try to contact a company thousands of miles away that you know one at.
The measures needed to prevent social engineering goes directly against the social oil that improve cooperation between employees and department. Verification slows down operations, require additional work on top of what is likely an already stressed work environment, and require training. The more a company feel safe, and the more time has past since last attack, the more people will lower their guard. People also tend to focus on past attacks, so while they might have been suspicious against a request to transfer money (the current most common social engineering attack), someone asking for "restoring access" might simply be seen as an innocent and common internal support request without triggering a request for identification.
I would expect that twitter will change their policy and training in order to address this, and in 10 years it will be removed in order to save time and improve response speed between departments, and churn rate will have replaced anyone with memory and training of this event. Then a new attack occurs, maybe with a slightly different target, and we repeat the cycle.
Unless they're saying that there's certain people who have raw DB access...
It’s commonly done for customer service purposes at many companies and is heavily audit trailed and access controlled (if the company is doing it right).
After this they became paranoid of the bug being fixed within hours and tried to monetise it in the quickest, easiest and safest way possible.
https://www.vice.com/en_us/article/jgxd3d/twitter-insider-ac...
If Twitter uses the same 2FA internally as they do for customers it'd be pretty easy to take over a support account if you know of the location of an employee.
