Rogue Meta employees and contractors abused an internal tool called "Oops," which is primarily intended for in-house account recovery for employees and business partners. There were some cases of account hijacking for money.
The problem stems from developers failing to remove the Twitter API keys they use for authentication from the app before they release it to the public. This creates the possibility of account hijacking.