How did Twitter get hacked? (password reminder emails)
The tech gossip blog TechCrunch had a hacker send them confidential business documents from Twitter, obtained by a European-based hacker who had broken into their servers. Not so good. How did he do it, though, and is there any risk of my Twitter account being compromised?
You're right that in early July, 2009, one of the employees of Twitter, the popular micro-blogging service (which I've written about quite extensively here on this tech support site) had their online identity compromised and through some security holes allowed the hacker, a chap who goes by the name "Hacker Croll" to obtain a variety of personal and corporate documents.
Croll then emailed them to TechCrunch, which sifted through them and published some that it deemed not too personally revealing but still information about the company that was not intended for public eyes.
I have some serious issues with TechCrunch publishing any of this ill-gotten information, personally, but that's the subject of a different discussion in a different venue. I'll just say that it revolves around two key words and a critical concept: business ethics. 'nuf said on that.
Is your Twitter account compromised? No. As far as i can tell, the only thing that this hacker did was steal internal documents, memos, spreadsheets, etc. There was no attempt to copy any user account data. If you're worried, go change your password.
What is worth highlighting, however, is that Hacker Croll got in initially by identifying the Google Gmail accounts of a few Twitter employees, then using the password reminder feature on each. Those reminders were sent to the account owners' alternative email addresses, but in one case it was shown as "firstname.lastname@example.org" and he guessed that it was the same account name @hotmail.com. He was right.
Problem was, the Hotmail account had been cancelled from lack of use.
He re-registered the account as his own, which Hotmail did without a problem, re-requested a Gmail password reminder, and bingo! he had the mail, logged in to Gmail, and was good to go, now deep within all the personal and business information of that particular Twitter employee.
But that's not where there's an actionable item other than a reminder that you should make sure that your backup email addresses for these services is still a valid email address for you.
What intrigued me was that he then searched through the user's Gmail account for other passwords, and found a bunch of them.
To test this, I went to Gmail and searched for "password:" and found hundreds of matches. Not good. Digging a bit further, I also searched for my most common two or three passwords and found almost 75 matches.
Really, really not good. A quick scan reveals that I've used this same password at Vistaprint, iHound, mblast, blog4tix, konaweb, FedEx, BuddyMarks, Netscape, Kontera, and on and on and on.
Since recognizing this, I have deleted all email in my Gmail archive that has one of my popular passwords within (just in case someone gets into that account), and gone to all of the critical sites on the list and changed those passwords to something unique to that site.
So the action item for you, reader, is this:
Go and delete all email messages that include password reminders!
It's much easier to get another reminder if you need it than to inadvertanly have a convenient archive of account name and password pairs for various sites sitting out there in the cloud...
A long, detailed writeup of the entire hack can be found on TechCrunch, if you're interested in more information on how it all went down.
More Useful Business and Management Articles:
✔ How do I trademark my group's name?
Yo Dave! So I'm looking 2 trademark my group's name, and once its trademarked will I get a certain certificate of trademark to...✔ Export LinkedIn Profile as a PDF Resume?
I've spent the last year or two updating and adding to my LinkedIn profile and it has a ton of information about me....✔ How do I run a credit card transaction with PayPal Here?
I contacted PayPal and got their little blue triangle card reader for use with the "PayPal Here" application, so I can process credit...✔ How do I search for a registered trademark?
I'm trying to come up with a new name for our software product, having been informed by a customer that a really big...✔ I'm unemployed. What do I list on LinkedIn?
I wanna ask you about LinkedIn. What's the best practice to fill out the CURRENT POSITION Field when you are not working and...
Let's stay in touch!
Sign up for my weekly AskDaveTaylor Newsletter and you'll receive even more tech and gadget help right to your inbox, along with exclusive news and industry updates. It's good stuff. I promise!
I do have a comment, now that you mention it!
Check This Out Too...
Look for Answers
All Our Categories
Apple iPad Help
Articles and Reviews
Auctions and Online Shopping
Blogs and Blogging
Building Web Site Traffic
Business and Management
Computer and Internet Basics
d) None of the Above
Google Gmail Help
Google Plus Help
Industry News and Trade Shows
iPhone and Cell Phone Help
iPod, Sony PSP and MP3 Player Help
Kindle Fire Help
Mac OS X Help
Pay Per Click (PPC) Advertising
Search Engine Optimization (SEO)
Shell Script Programming
Tech Support Video Help
The Writing Business
Twitter, LinkedIn and Social Network Help
Unix and Linux Help
Video Game Tips and Help
Windows PC Help
Find Me on Google+
ADT on G+