French Hacker Explains How He Hacked Twitter

AUTHOR : cinedictum  FILED UNDER: Twitter News 21 July, 2009

I was reading an article today from PC World about Hacker Croll, the French hacker who broke into Twitters Google Applications and stole around 300 private documents.

The scary thing is that the hacker didn’t use some specialist software to do this or exploit some security hole. He simply gathered tons of information on Twitter employees and then looked at a way to exploit it.

Hacker Croll started by building a profile of his target company, in this case Twitter. Basically, he assembled a list of employees, their positions within the company, and their associated e-mail addresses. After the basic information was accumulated, Croll built a small profile for each employee with their birth date, names of pets, and so on.

After Croll had created these profiles, he just went about knocking on doors until one fell down. That’s exactly what happened when he did a password recovery process for a Twitter employee’s personal Gmail account. Croll discovered that the secondary account attached to this person’s Gmail was a Hotmail account. The problem was that Hotmail account had been deleted and recycled due to inactivity — a longstanding policy on Hotmail. Now, all Hacker Croll had to do was reregister the Hotmail account for himself, go back and do the Gmail password recovery, and then Gmail sent the password reset information straight to the bad guy.

But it’s not over yet. Gmail asked Hacker Croll to reset the password of the Twitter employee’s personal e-mail account, which he did. But now the original user was locked out of their account, which would send up an obvious red flag. So all Croll did was search the Gmail account itself for passwords from the person’s other active services. Then he entered a commonly used password he’d found, and waited to see if the person began using their account normally. Croll now had access to the Gmail account from behind the scenes, and was able to access information undetected. Making life even eaiser, the Twitter employee used the same password on her business and personal accounts, so the hacker now had access to both, and the rest was history.

The story is quite scary because this could clearly happen to any one of us. I don’t think it’s practical to use different passwords for every site you sign up so I would like to see more OpenID like security sign ins to stop this kind of thing from happening.

No Responses so far | Have Your Say!

Leave a Comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Twitter Survival GuideBlog Themes Club

About the Author

Kevin MuldoonJames Hakim is a webmaster, blogger and self confessed gadget geek! He owns numerous websites on the net including the popular Twitter Scripts.

Having signed up to Twitter in April 2008, he didn't really become active on it until early 2009. Since then he has been a Twitter fantatic!

To stay up to date with James please follow him @Twiter_Scripts on twitter or visit his company.

  • What I'm Doing...

    • Exciting thing's are going to be happening soon, watch this space! 2009-10-14
    • We have now completed our backlog of custom orders, we're now ready to work on new custom scripts so contact us!! 2009-10-12
    • Testing this out 2009-09-26
    • More updates...

Recent Readers