14 DAY TRIAL // This is shaping up to be a very bad year for micro-blogging platform Twitter, as far as its security is concerned. Last week, a hacker obtained access to a Twitter administrative account and subsequently leaked private information from ten profiles, including some belonging to celebrities such as Ashton Kutcher, Lily Rose Allen and Barack Obama.
"I've just hacked twitter.com yesterday in the afternoon (see full details below) and i've [sic.] got a full access to the Admin Panel that was secured with .htaccess," someone going by the handle of Hacker Croll wrote on April 29 across several message boards. Initially dismissed by those communities as being untrue, the claim was confirmed by Twitter on the following day.
Apparently, the hacker used nothing more than social engineering in order to obtain the password of Jason Goldman, director of product management at Twitter. "One of the admins has a yahoo account, i've [sic.] reset the password by answering to the secret question. Then, in the mailbox, i have found her [sic.] twitter password," Hacker Croll explained.
The e-mail hack was confirmed by Jason Goldman, who posted several messages on Twitter while it was happening. "Wow – my Yahoo mail account was just hacked," "I think I'm back in! Caught it before I couldn't restore from the other email addresses on file," "Wait! We're in a tug of war over control of the account. This is nuts. I hope I win," "Uh-oh. Got some kinda Y! Mail grey screen of death. I'm getting pwnd!," "If anyone with Yahoo! Security is out there, hit me up with an @reply," they read.
The hacker obtained access to administrative tools, which allowed him to see the e-mail addresses and IP addresses used to register any account, the last IP address used to log in, as well as the list of users blocked from sending messages to those accounts. For example, the world now knows that both Ashton Kutcher and Lily Rose Allen have celebrity gossip blogger Perez Hilton on their respective block lists.
"Twitter takes security very seriously, so we will be conducting a thorough, independent security audit of all internal systems and implementing additional anti-intrusion measures to further safeguard user data," Twitter co-founder, Biz Stone, wrote on the company's blog after the incident. However, many security professionals remain skeptic about such claims and consider that the flood of attacks, which hit the service this year alone, is suggesting a more serious underlying problem with its security practices.
In fact, at the beginning of January, a hacker calling himself GMZ hijacked the account of another administrator and posted fake messages impersonating the likes of Britney Spears, Barack Obama, Rick Sanchez, or Fox News. GMZ claimed that he had obtained access to the administrative account by executing a brute-force dictionary attack, which was successful because of the weak password – "happiness."