[dguido]

It's not sensationalist when you realize it directly contradicts Twitter's prior statements from just last year about it:

> Twitter, in a statement, said it is aware that "bad actors" will try to undermine its service and that the company "limits access to sensitive account information to a limited group of trained and vetted employees."

https://www.npr.org/2019/11/06/777098293/2-former-twitter-em...

1,000 people, including contractors outside the company, is not a "limited group of trained and vetted employees." It's news because they misled people about their security, again.

[akersten]

I don't think that's a contradiction, I think you and Twitter have different understandings of what the size of a "limited group of employees" is. The usual advice of dismissing nebulous corporate statements like that applies.

Anyway, even if they had provided a figure, I think you're taking it out of context - the quote says access to "sensitive account information" is limited, not access to account recovery options. So it's potentially someone outside of that limited group whose credentials were compromised.

[bigiain]

<cynical view> I think the misunderstanding is over the phrase "sensitive account information".

I notice it wasn't Nestle or Verizon or Disney or Heinz or Unilever accounts that got hacked.

You know, the information about "accounts". The records of monetary transactions.

https://www.statista.com/statistics/1094351/us-twitter-adver...

[ceejayoz]

> 1,000 people, including contractors outside the company, is not a "limited group of trained and vetted employees."

That's not necessarily true. 20% of the company could fairly reasonably be deemed "limited", and there being a thousand of them doesn't mean they're not trained on their tasks.

[throwaway2048]

Everyone having access but James the Janitor is technically limited access too.

[monsieurbanana]

We'll have to agree to disagree on what we consider fairly reasonable to call "limited".

[dorkwood]

Today I learned that Twitter has 4,600 employees. What are they all doing?

[yomly]

Ya cos Twitter is just a CRUD app /s

Once you want to add more people to any business, you need to add even more people to that business.

Lets say you have 10 engineers and want to add another. Suddenly HR's workload has tipped over the limit and you need more HR people. Now communication is fracturing for those 10 engineers and you need a Product Manager and an Engineering Manager to centralise the steering and cohesion of those 11 engineers. Now budgets, payroll and accounting has increased and you need another Finance person.

Suddenly your office is too small so you need a bigger office and an office manager.

This is obviously a contrived example, but having worked at very early stage startup, a mid sized startup and a global megacorp while seeing all of them go through various growth cycles you start to appreciate how headcount can creep in ways which feel indirect to the most pressing problem at hand (ship more features, deliver more customer value).

You see it software terms too - as your software project scales suddenly you need more infra, your CI environment gets more complex. Suddenly your workflows don't scale as too many engineers are working on the same code, so you rearchitect (components/microservices) then you need to start building dev tooling and metrics/observability....

I guess as some kind of system scales, the leverage you gain from adding a thing to it has some diminishing curve / inverse relationship to the size of the system.

[vangelis]

They have 35 offices, I assume it adds up.

[dorkwood]

Oh, right. That makes sense.

[freeone3000]

Support, operations, legal, purchasing, finance, marketing, development, and management.

[ponker]

Running one of the world's most important communication platforms.

[freeone3000]

1000 people absolutely is limited - it's not everyone at the company! I'm sure they did their annual security training, like everyone here, and they might have even passed an additional screening and another training session for account access.

You have unreasonable expectations for what "limited group of trained and vetted employees" means in a CSR environment for millions of customers.

[nl]

> 1,000 people, including contractors outside the company, is not a "limited group of trained and vetted employees." It's news because they misled people about their security, again.

I don't think this is misleading at all. Your bank probably has thousands of people who can get equivalent access to your account, and they serve a lot less people than Twitter, and mostly during business hours, in one language, in one country.

1000 people in total when they have to have some available 24/7 isn't many.

Say 200 of them are individual technical staff with access for specific debugging purposes. Then it's only 200 people per 8 hour shift.

There's probably requirements for specific language support too, which increases the head count. There was a period of time some years ago when Twitter's peak usage was from Japan, in Japanese hours, in Japanese language.

[MattGaiser]

Banks make the same promise that it is a "limited group of trained and vetted employees."

In an organization as large as Twitter or a bank, that still means thousands of people. You are seeing 1000 as large because you are forgetting the scale on which they operate.

[verroq]

It can be every employee except one and still be called "limited group of trained and vetted employees". It's written that way so that they covered their ass, it's not a statement of security.

[gcc_programmer]

It's funny how most people think that 1000 out of 4600 employees having admin access is "not misleading" and counts as a "limited" group. It shows how in the public mind, technology groups should not be held accountable for their actions.

[rutthenut]

I take it that 1000 out of 4600 employees shows that, not unsurprisingly, a lot of the staff at this technology company may be involved in hands-on activities against live services. Maybe DevOps style.

[gcc_programmer]

Why is that not surprising? Maybe we are used to different types of technology companies though.

[vangelis]

I'm sure they took a web training before being handed the keys to the kingdom.