It is of note that they're claiming a social engineering attack on an internal employee; not a wide spread social engineering attack on each individual account.
Social engineering attack seems to loose and gain popularity as companies spend more and then less resources against it. I would not claim state actor unless there is more proof.
The measures needed to prevent social engineering goes directly against the social oil that improve cooperation between employees and department. Verification slows down operations, require additional work on top of what is likely an already stressed work environment, and require training. The more a company feel safe, and the more time has past since last attack, the more people will lower their guard. People also tend to focus on past attacks, so while they might have been suspicious against a request to transfer money (the current most common social engineering attack), someone asking for "restoring access" might simply be seen as an innocent and common internal support request without triggering a request for identification.
I would expect that twitter will change their policy and training in order to address this, and in 10 years it will be removed in order to save time and improve response speed between departments, and churn rate will have replaced anyone with memory and training of this event. Then a new attack occurs, maybe with a slightly different target, and we repeat the cycle.
> Why do employees even have access to tools that allow them to take over accounts?
It’s commonly done for customer service purposes at many companies and is heavily audit trailed and access controlled (if the company is doing it right).
I’ve seen nothing so far to indicate they didn’t have heavy audit logging and access control. They just had an employee who knowingly or unknowingly violated company policy.
If past cases are any indication they're just super proud it works and at some point will want to tell someone to get validation. That's when they'll get caught.