Twitter declined to comment on that figure and would not say whether the number declined before the hack or since. The company was looking for a new security head, working to better secure its systems and training employees on resisting tricks from outsiders, Twitter said. Cognizant did not respond to a request for comment.

“That sounds like there are too many people with access,” said Edward Amoroso, former chief security officer at AT&T. Responsibilities among the staff should have been split up, with access rights limited to those responsibilities and more than one person required to agree to make the most sensitive account changes. “To do cyber security right, you can't forget the boring stuff.”

Threats from insiders, especially lower-paid outside support staff, are a constant worry for companies serving large numbers of users, cyber security experts said. They said that the greater the number of people who can change key settings, the stronger oversight must be.

Stumbles

The former employees said that Twitter had got better about logging the activity of its people in the wake of previous stumbles, including searches of records by an employee accused last November of spying for the government of Saudi Arabia.

But while logging helps with investigations, only alarms or constant reviews can turn logs into something that can prevent breaches.

Former Cisco Systems chief security officer John Stewart said companies with broad access need to adopt a long series of mitigations and “ultimately ensuring that the most powerful authorised people are only doing what they are supposed to be doing”.

Who exactly pulled off the hacking spree isn't clear, but outside researchers such as Allison Nixon of Unit 221B say the incident appears linked to a cluster of cybercriminals who regularly traded in novelty handles – especially rare one-or-two character account names – that are treated a bit like the vanity licence plates of the online world.

Though the public evidence tying the hacking to those was circumstantial, ultra-short Twitter handles were among the first to be hijacked.