How did Twitter get hacked? (password reminder emails)

You're right that in early July, 2009, one of the employees of Twitter, the popular micro-blogging service (which I've written about quite extensively here on this tech support site) had their online identity compromised and through some security holes allowed the hacker, a chap who goes by the name "Hacker Croll" to obtain a variety of personal and corporate documents.

Croll then emailed them to TechCrunch, which sifted through them and published some that it deemed not too personally revealing but still information about the company that was not intended for public eyes.

I have some serious issues with TechCrunch publishing any of this ill-gotten information, personally, but that's the subject of a different discussion in a different venue. I'll just say that it revolves around two key words and a critical concept: business ethics. 'nuf said on that.

Is your Twitter account compromised? No. As far as i can tell, the only thing that this hacker did was steal internal documents, memos, spreadsheets, etc. There was no attempt to copy any user account data. If you're worried, go change your password.

What is worth highlighting, however, is that Hacker Croll got in initially by identifying the Google Gmail accounts of a few Twitter employees, then using the password reminder feature on each. Those reminders were sent to the account owners' alternative email addresses, but in one case it was shown as "xxxx@hxxxxxx.com" and he guessed that it was the same account name @hotmail.com. He was right.

Problem was, the Hotmail account had been cancelled from lack of use.

He re-registered the account as his own, which Hotmail did without a problem, re-requested a Gmail password reminder, and bingo! he had the mail, logged in to Gmail, and was good to go, now deep within all the personal and business information of that particular Twitter employee.

But that's not where there's an actionable item other than a reminder that you should make sure that your backup email addresses for these services is still a valid email address for you.

What intrigued me was that he then searched through the user's Gmail account for other passwords, and found a bunch of them.

To test this, I went to Gmail and searched for "password:" and found hundreds of matches. Not good. Digging a bit further, I also searched for my most common two or three passwords and found almost 75 matches.

Really, really not good. A quick scan reveals that I've used this same password at Vistaprint, iHound, mblast, blog4tix, konaweb, FedEx, BuddyMarks, Netscape, Kontera, and on and on and on.

Since recognizing this, I have deleted all email in my Gmail archive that has one of my popular passwords within (just in case someone gets into that account), and gone to all of the critical sites on the list and changed those passwords to something unique to that site.

So the action item for you, reader, is this:

Go and delete all email messages that include password reminders!

It's much easier to get another reminder if you need it than to inadvertanly have a convenient archive of account name and password pairs for various sites sitting out there in the cloud...

A long, detailed writeup of the entire hack can be found on TechCrunch, if you're interested in more information on how it all went down.