If this is the true story. Is it a standard practice on social networks to give to an administrator the right to post anything in your name without any distinguishable marker? There is a enormous trust issue here. I expect an administrator to be able to moderate a post or disable an account, not to impersonate it from a admin dashboard.
From reading HN comments, it is more likely that the attacker changed the account email from the admin panel and took over the account (even accounts with 2FA enabled), which seem more likely to me.
To prevent this kind of mess, Twitter should add more restrictions do disable 2FA on an account (multiple admin authorizations, email notification, add delay before the action is performed) and also change the account state to unverified and add to the feed a "email changed" or "identity changed" status. I also think that changing the email should not be immediate and that the old email should be notified of the change.
Not the same , he modified SQL dB directly and he was the CTO and one of primary architects of the system.
This is admin UI given to operations staff , far more trivial to have writes protected ,I cannot imagine anyone need to write to customer data that often in this kind of app.
