Disabling everything would have been quicker, and there's no way they could have been certain which accounts were compromised, certainly not so early. Even now - you have to make do with the traces the attackers leave behind, but it's unlikely you have complete certainty that some traces weren't removed, or fallback backdoors perhaps placed.
Also, disabling everything would have likely been only a very short term solution - just enough to tide you over until you understand roughly what's going on, likely less than an hour.
How many people saw the tweets and transferred bitcoins during the period in which twitter likely could have turned off everthing, but not yet blocked access to the respective accounts? Likely very few, but perhaps not 0. Whether in retrospect that makes twitters choice to stay online reasonable depends a little on how much you think twitter just got lucky that the scope of the attack was small, or that you think they knew what they were doing.
While it affected a bunch of popular accounts it didn't really disrupt Twitter for the rest of the user base or put them at huge risk. Disabling all accounts is maybe not even that easy to do on a scale like that where maybe then you are getting overwhelmed by retries / errors from all kinds of apps and it's even harder to control the whole situation. Just disabling high profile accounts seemed like a pretty good workaround.
> How many people saw the tweets and transferred bitcoins during the period in which twitter likely could have turned off everthing, but not yet blocked access to the respective accounts
"The most prevalent address received $120,000 in bitcoin from 375 transactions. Secondary addresses received $6,700 in bitcoin from 100 transactions. An XRP wallet netted nothing."
The fact that the damage was minimal did not mean it had to stay minimal. That's like saying let's not raise the dikes because this time we didn't flood everywhere.
Also, disabling everything would have likely been only a very short term solution - just enough to tide you over until you understand roughly what's going on, likely less than an hour.
How many people saw the tweets and transferred bitcoins during the period in which twitter likely could have turned off everthing, but not yet blocked access to the respective accounts? Likely very few, but perhaps not 0. Whether in retrospect that makes twitters choice to stay online reasonable depends a little on how much you think twitter just got lucky that the scope of the attack was small, or that you think they knew what they were doing.