I don't know about twitter, but a lot of companies are trying to drop VPNs entirely going no-vpn/boyond-corp/"zero trust", so it's not terribly surprising to me.
This was my first thought as well. It must have been an oversight on someone’s part. Maybe infrastructure changes due to the shift to work remotely made it possible to access.
How would a VPN help in this case though? They social-engineered some employees to gain privileged access to the admin UI. If a VPN was in the way they'd do the same thing to get access to the VPN first.
I've seen some solutions where the VPN only works on the company machine. In this case, the social engineered employee would at least have to hand over their laptop.
That's indeed often the case, how it works is that the machine itself has a client certificate it uses to authenticate with the VPN.
There's no reason that certificate can't be used directly for the HTTPS connection to the admin UI, providing the same security benefits without actually requiring a VPN.
Furthermore depending on how "deep" the social engineering attack goes, a local user with administrator privileges can typically export those certificates unless they are stored on a hardware module (either a smartcard or an internal TPM/secure element).