Industry guru Dave Taylor offers tech support on technical and business topics, including iPhone, iPod, Microsoft Windows, Sony PSP, cellphones, online advertising, CSS, Web design, business, Unix, Linux, SEO, Mac OS X, and shell script programming.     


How did Twitter get hacked? (password reminder emails)

The tech gossip blog TechCrunch had a hacker send them confidential business documents from Twitter, obtained by a European-based hacker who had broken into their servers. Not so good. How did he do it, though, and is there any risk of my Twitter account being compromised?

Dave's Answer:

You're right that in early July, 2009, one of the employees of Twitter, the popular micro-blogging service (which I've written about quite extensively here on this tech support site) had their online identity compromised and through some security holes allowed the hacker, a chap who goes by the name "Hacker Croll" to obtain a variety of personal and corporate documents.

Croll then emailed them to TechCrunch, which sifted through them and published some that it deemed not too personally revealing but still information about the company that was not intended for public eyes.

I have some serious issues with TechCrunch publishing any of this ill-gotten information, personally, but that's the subject of a different discussion in a different venue. I'll just say that it revolves around two key words and a critical concept: business ethics. 'nuf said on that.

Is your Twitter account compromised? No. As far as i can tell, the only thing that this hacker did was steal internal documents, memos, spreadsheets, etc. There was no attempt to copy any user account data. If you're worried, go change your password.

What is worth highlighting, however, is that Hacker Croll got in initially by identifying the Google Gmail accounts of a few Twitter employees, then using the password reminder feature on each. Those reminders were sent to the account owners' alternative email addresses, but in one case it was shown as "xxxx@hxxxxxx.com" and he guessed that it was the same account name @hotmail.com. He was right.

Problem was, the Hotmail account had been cancelled from lack of use.

He re-registered the account as his own, which Hotmail did without a problem, re-requested a Gmail password reminder, and bingo! he had the mail, logged in to Gmail, and was good to go, now deep within all the personal and business information of that particular Twitter employee.

But that's not where there's an actionable item other than a reminder that you should make sure that your backup email addresses for these services is still a valid email address for you.

What intrigued me was that he then searched through the user's Gmail account for other passwords, and found a bunch of them.

google gmail search password

To test this, I went to Gmail and searched for "password:" and found hundreds of matches. Not good. Digging a bit further, I also searched for my most common two or three passwords and found almost 75 matches.

Really, really not good. A quick scan reveals that I've used this same password at Vistaprint, iHound, mblast, blog4tix, konaweb, FedEx, BuddyMarks, Netscape, Kontera, and on and on and on.

Since recognizing this, I have deleted all email in my Gmail archive that has one of my popular passwords within (just in case someone gets into that account), and gone to all of the critical sites on the list and changed those passwords to something unique to that site.

So the action item for you, reader, is this:

Go and delete all email messages that include password reminders!

It's much easier to get another reminder if you need it than to inadvertanly have a convenient archive of account name and password pairs for various sites sitting out there in the cloud...

A long, detailed writeup of the entire hack can be found on TechCrunch, if you're interested in more information on how it all went down.

More Useful Business and Management Articles:
✔   How do I trademark my group's name?
Yo Dave! So I'm looking 2 trademark my group's name, and once its trademarked will I get a certain certificate of trademark to...
✔   Export LinkedIn Profile as a PDF Resume?
I've spent the last year or two updating and adding to my LinkedIn profile and it has a ton of information about me....
✔   How do I run a credit card transaction with PayPal Here?
I contacted PayPal and got their little blue triangle card reader for use with the "PayPal Here" application, so I can process credit...
✔   How do I search for a registered trademark?
I'm trying to come up with a new name for our software product, having been informed by a customer that a really big...
✔   I'm unemployed. What do I list on LinkedIn?
I wanna ask you about LinkedIn. What's the best practice to fill out the CURRENT POSITION Field when you are not working and...
Let's stay in touch!
Sign up for my weekly AskDaveTaylor Newsletter and you'll receive even more tech and gadget help right to your inbox, along with exclusive news and industry updates. It's good stuff. I promise!
    Enter your name: and your email addr:  




Categorized: Business and Management   (Article 8996, Written by )
Tagged: gmail, hacking, hotmail, passwords, security, techcrunch, twitter
Previous: How can I fix photos in Apple's iPhoto?
Next: Webmail mailbox exceeds storage limit warning email? Huh?




Reader Comments To Date: 4

Cooper Strange said, on July 21, 2009 11:48 PM:

It is fascinating how most attacks are much lower tech than we think. I am no hacker--shoot, all I know is a little HTML--but I could easily do that same hack.

This is exactly why I use PasswordSafe, so I have individual passwords for everything I do. Gaining access to one would not reveal any of the others. If you have a "commonly used password", then they can just use your Twitter password and try it out on more important things like online credit card logins, banks, e-mail, and everything else.

Sure, delete those password reminders in your e-mail, but be pro-active: download and use PasswordSafe or some alternative, and make it extremely difficult for this kind of thing to happen.

Vinoth said, on July 25, 2009 12:58 AM:

I usually use same password for normal websites but for social networking, bank and other critical account, I use unique passwords which is hard to guess.

awat said, on June 1, 2010 1:33 AM:

find my password

omodestyo said, on October 19, 2011 11:39 PM:

pls help me to retrieve my password,i have forgotten the answer to the question yahoo asked me,so pls i need that password

Starbucks coffee cup I do have a lot to say, and questions of my own for that matter, but first I'd like to say thank you, Dave, for all your helpful information by buying you a cup of coffee!

I do have a comment, now that you mention it!











I will never send you any unsolicited email. Ever.






Check This Out Too...

 
Recent Entries
Look for Answers
Recommended
Need Help? Ask Dave Taylor!
All Our Categories


Follow Me on Pinterest

Find Me on Google+
ADT on G+
© 2002 - 2013 by Dave Taylor. All Rights Reserved.

Note: This web site is for the purpose of disseminating information for educational purposes, free of charge, for the benefit of all visitors. We take great care to provide quality information. However, we do not guarantee, and accept no legal liability whatsoever arising from or connected to, the accuracy, reliability, currency or completeness of any material contained on this web site or on any linked site. Further, please note that by submitting a question or comment you're agreeing to my terms of service, which are: you relinquish any subsequent rights of ownership to your material by submitting it on this site. My lawyer says "Thanks".
"Ask Dave Taylor®" is a registered trademark of Intuitive Systems, LLC.