Twitter Inc. announced today that last week’s hack accessed the direct messages of a few dozen people, including one government official.

In a series of tweets, the company said the investigation is ongoing as to the “specifics about what the attackers did to the accounts,” but at the moment it’s known that out of the 130 targeted accounts, 36 of them had their direct messages hacked.

That’s worrying, given that the hackers could have read anything in those DMs and one of the accounts belonged to an elected official. The prospect of this happening to other elected officials around the world has some critics concerned, while others have pointed out that access to the DMs of any well-known figure could lead to blackmail.

The hack last week was said to be the worst social media hack ever, leaving Twitter embarrassed and a lot of security experts concerned. Some of the accounts that were taken over included Barack Obama, Joe Biden, Jeff Bezos, Elon Musk, Bill Gates, Warren Buffet and Mike Bloomberg. Although their DMs were not seen by the attackers, one might wonder what kind of trove of information their inboxes might hold.

It seems the hackers were not concerned with embarrassing the public figures and were only interested in making some money through a bitcoin scam. It was later assumed that a Twitter employee was involved, possibly with a young hacker from the U.K. The hackers bagged an estimated $121,000, although that cash might be hard to collect without getting caught, according to security experts.

Twitter updated the public last week as to how many people were affected, saying that the number of targeted accounts was 130. Some 45 of those accounts sent tweets, and 36 more had their DMs accessed. Perhaps more worrying is that eight of the accounts had their archive downloaded via the “Your Twitter Data” feature.

Twitter said that none of those eight accounts was verified. When asked by Reuters if any of the 36 accounts that had their DMs accessed was verified, Twitter declined to comment.

Some security experts were skeptical of Twitter’s claim that social engineering was responsible for the attack.

“Hijacking one or two accounts by tricking Twitter tech support seems fairly plausible, but the long-lasting takeover of dozens of top accounts requires a much more sophisticated and multidimensional preparation of attack,” said Ilia Kolochenko, founder and chief executive of the web security company ImmuniWeb. “I think the reported social engineering attack vector was enhanced by exploitation of other weaknesses in Twitter’s internal security. It is not excluded that the attackers were assisted by an insider or were exploiting a high-risk vulnerability detected in one of the Twitter’s web systems. Otherwise, we may reasonably infer that Twitter has virtually no internal security controls and best practices that we should normally expect from a tech company of its size.”

Image: Esther Vargas/Flickr