(Reuters) – Twitter suffered from cybersecurity flaws that allowed a “simple” hack attributed to a Florida teenager to take over the accounts of several of the world’s most famous people in July. This emerges from a report published on Wednesday.

The New York Treasury Department’s report recommended that major social media companies such as some banks should be classified as systemically important after the 2008 financial crisis, with a dedicated regulator overseeing their ability to combat cyberattacks and electoral disruption.

“Twitter’s vulnerability to an unsophisticated attack shows that self-regulation is not the answer,” said Linda Lacewell, superintendent for financial services.

Twitter said it worked with the review, adding security to its teams and platform. The company has confirmed that prior to the hack, some employees were tricked into sharing account credentials.

New York Governor Andrew Cuomo said the report showed a “regulatory loophole” and promised the state would take the lead in putting measures in place to protect users.

Cuomo ordered an investigation into a fraud allegedly stealing more than $ 118,000 in Bitcoin after hacking celebrity Twitter accounts on July 15.

People whose accounts were hacked included US presidential candidate Joe Biden; former President Barack Obama; Billionaires Jeff Bezos, Bill Gates, and Elon Musk; Singer Kanye West; and reality TV star Kim Kardashian.

According to Lacewell, hackers were given credentials after calling multiple employees pretending to work in Twitter’s information technology division. Hackers said they were responding to problems with the company’s virtual private network, a situation that had become common because employees were working from home.

“The hackers’ extraordinary access with this simple technique underscores Twitter’s cybersecurity vulnerability and potential for devastating consequences,” the report said.

The lack of Twitter at the time of a chief information security officer also made the San Francisco-based company more vulnerable, the report said.

Florida prosecutors said Graham Ivan Clark was the mastermind behind the hack, accusing the 17-year-old Tampa resident of 30 crimes as an adult.

Clark has pleaded not guilty. The federal prosecutor accused two other people of supporting the hack.

(Reporting by Jonathan Stempel in New York, additional reporting by Katie Paul in Palo Alto. Editing by Andrea Ricci and Tom Brown.)

You can’t solo the COVID-19 gaming security report: learn about the latest gaming attack trends. Access here