Industry guru Dave Taylor offers free tech support on a wide variety of technical and business topics, including HTML, Apple iPhone, online advertising, Cascading Style Sheets, Web design, management, Unix, Linux, search engine optimization, online dating, Mac OS X, shell script programming and Microsoft Windows.

How did Twitter get hacked? (password reminder emails)

The tech gossip blog TechCrunch had a hacker send them confidential business documents from Twitter, obtained by a European-based hacker who had broken into their servers. Not so good. How did he do it, though, and is there any risk of my Twitter account being compromised?

Dave's Answer:

You're right that in early July, 2009, one of the employees of Twitter, the popular micro-blogging service (which I've written about quite extensively here on this tech support site) had their online identity compromised and through some security holes allowed the hacker, a chap who goes by the name "Hacker Croll" to obtain a variety of personal and corporate documents.

Croll then emailed them to TechCrunch, which sifted through them and published some that it deemed not too personally revealing but still information about the company that was not intended for public eyes.

I have some serious issues with TechCrunch publishing any of this ill-gotten information, personally, but that's the subject of a different discussion in a different venue. I'll just say that it revolves around two key words and a critical concept: business ethics. 'nuf said on that.

Is your Twitter account compromised? No. As far as i can tell, the only thing that this hacker did was steal internal documents, memos, spreadsheets, etc. There was no attempt to copy any user account data. If you're worried, go change your password.

What is worth highlighting, however, is that Hacker Croll got in initially by identifying the Google Gmail accounts of a few Twitter employees, then using the password reminder feature on each. Those reminders were sent to the account owners' alternative email addresses, but in one case it was shown as "xxxx@hxxxxxx.com" and he guessed that it was the same account name @hotmail.com. He was right.

Problem was, the Hotmail account had been cancelled from lack of use.

He re-registered the account as his own, which Hotmail did without a problem, re-requested a Gmail password reminder, and bingo! he had the mail, logged in to Gmail, and was good to go, now deep within all the personal and business information of that particular Twitter employee.

But that's not where there's an actionable item other than a reminder that you should make sure that your backup email addresses for these services is still a valid email address for you.

What intrigued me was that he then searched through the user's Gmail account for other passwords, and found a bunch of them.

To test this, I went to Gmail and searched for "password:" and found hundreds of matches. Not good. Digging a bit further, I also searched for my most common two or three passwords and found almost 75 matches.

Really, really not good. A quick scan reveals that I've used this same password at Vistaprint, iHound, mblast, blog4tix, konaweb, FedEx, BuddyMarks, Netscape, Kontera, and on and on and on.

Since recognizing this, I have deleted all email in my Gmail archive that has one of my popular passwords within (just in case someone gets into that account), and gone to all of the critical sites on the list and changed those passwords to something unique to that site.

So the action item for you, reader, is this:

Go and delete all email messages that include password reminders!

It's much easier to get another reminder if you need it than to inadvertanly have a convenient archive of account name and password pairs for various sites sitting out there in the cloud...

A long, detailed writeup of the entire hack can be found on TechCrunch, if you're interested in more information on how it all went down.

Help others find this article at Del.icio.us, Digg, Netscape, Reddit, and Stumble Upon

Categorized: Business and Management (Article 8996)
Tagged: gmail, hacking, hotmail, passwords, security, techcrunch, twitter
Previous: How can I fix photos in Apple's iPhoto?
Next: Webmail mailbox exceeds storage limit warning email? Huh?

Subscribe!

Never miss another useful Q&A article again! Subscribe to AskDaveTaylor with Google Reader.

Comments

It is fascinating how most attacks are much lower tech than we think. I am no hacker--shoot, all I know is a little HTML--but I could easily do that same hack.

This is exactly why I use PasswordSafe, so I have individual passwords for everything I do. Gaining access to one would not reveal any of the others. If you have a "commonly used password", then they can just use your Twitter password and try it out on more important things like online credit card logins, banks, e-mail, and everything else.

Sure, delete those password reminders in your e-mail, but be pro-active: download and use PasswordSafe or some alternative, and make it extremely difficult for this kind of thing to happen.

Posted by: Cooper Strange at July 21, 2009 11:48 PM

I usually use same password for normal websites but for social networking, bank and other critical account, I use unique passwords which is hard to guess.

Posted by: Vinoth at July 25, 2009 12:58 AM

I have something to say, now that you mention it, but ...

I do have a lot to say, and questions of my own for that matter, but first I'd like to say thank you for all your efforts on this Web site by buying you a cup of coffee!

I do have a comment, now that you mention it!