Based on Twitter’s preliminary explanation and the circulating screenshots, the former employees quickly concluded that hackers had accessed an administrative platform known internally as “agent tools” or the “Twitter Services UI.” This internal tool is intended for employees to handle customer support requests and to moderate content, said a person familiar with Twitter’s security.

Hundreds of Twitter employees have access to agent tools, according to one of the people who participated in the former-employee discussions. It is a powerful platform that can show Twitter users’ cellphone numbers if they have registered them with the company, as well as users’ geolocation and any IP addresses that have been used to access the account, the person said…

One of the most sensitive capabilities associated with Twitter’s tool is the ability to change the email addresses to which Twitter sends password-reset instructions. What likely occurred, the former employees said, is that the attackers used the tool to change the email addresses associated with the targeted Twitter accounts, then sent password-reset instructions to new email addresses under the hackers’ control. Once the hackers were able to alter the user passwords, they could log into the Twitter accounts as if they were the rightful owners.