If I had to guess, it was an internal job from a disgruntled employee with access to hijack users’ email address. Change their email address, reset password, open the email and then you can login. They might also need access to change the 2FA phone number if it was set.

It's much more likely a common social media marketing platform was compromised.

It seems a total account takeover, not just the ability to send tweets in their name - the email addresses have been reset, see https://twitter.com/sniko_/status/1283485972286656517

But then wouldn't these tweets say something other than "Twitter Web App" ?

Users of the middleware likely want to hide the fact that they're scheduling their tweets, I would imagine the tool sets this value explicitly to have the tweets appear more genuine. </postulating>

It's a wide enough range of accounts that it's most likely an internal admin panel.

Special protected accounts (e.g., Trump's) seem unaffected, whereas hundreds (thousands?) of "regular" accounts, high profile and small, are compromised.

A lot happened in the 32 minutes since I posted that.