I don't understand this angle because typically admin panels only let you manage the account; deactivate, manage email address, etc. As shown in the screenshots.

Tweeting on behalf of another user seems like an unnecessary feature to give admins.

Some suggested the admin panel can initiate a password reset, and that, coupled with email management would allow account takeover, effectively (without allowing 'tweet as user' functionality).

All the hacked accounts seem to have had the associated email changed. I think the attack goes admin panel -> change email -> reset PW -> tweet bitcoin scams.

https://twitter.com/sniko_/status/1283485972286656517

if this were true, youd think itd be trivial to review changelog for two affected users and deactivate the in-common admin account. not sure why this would take hours to solve.

You're assuming this internal tool was built securely and was feature complete.

My experience with internal tooling in general suggests otherwise.

changing emails is a common way to keep account owners out of their accounts. might not have anything to do with the mode of entry.

Given the number of accounts that were taken over, there must have been many people conducting the hack. Also considering that tweets were being deleted then re-tweeted, others must have been monitoring the tweets. Seems somewhat well coordinated.

The feature wouldn't be tweeting per-se but acting on behalf of the user, which can prove useful for support or debugging. The side-effect is that obviously it also allows tweeting if you wanted to.