Hacker Croll Hacks Into Twitter Account Via Password Retrieval

Holy crap. This does not sound good, and Evan Williams (@ev, founder of Twitter) is definitely distressed about the whole thing. There are several news stories popping up all over the place, reporting that Twitter was hacked. However, the more I read about it, the more it seems that user accounts were not necessarily the goal of the hack. In fact, Ev claims that no user accounts were compromised. Rather, it seems that the hacker gained access to an email account. From there, Hacker Croll was able to use password retrieval methods (and social engineering) to gain access to all sorts of other services. Hacker Croll claims to have gotten access to all sorts of stuff – from email accounts to PayPal accounts to Apple accounts to Twitter accounts to Twitter’s domain name account at GoDaddy to phone numbers to time sheets to Twitter financial projections. It’s amazing what Hacker Croll claims to have accessed.

I’ve been running through the headlines. From what I can tell, here’s what happened:

  • In May, an anonymous hacker who goes by the name Hacker Croll hacked into Twitter (PC World)
  • He gained access to the Twitter account of Jason Goldman, a director of product management with Twitter
  • Hacker Croll posted 13 screenshots to a French online discussion forum (Zataz.com – posts have since been removed by Hacker Croll)
  • Twitter co-founder Biz Stone (@biz) confirmed the break-in (Blog.Twitter.com)
  • Hacker Croll claims: “one of the admins has a yahoo account, i’ve reset the password by answering to the secret question. Then, in the mailbox, i have found her twitter password…” (WarezScene.org)
  • Here is a roughly translated list of everything Hacker Croll claims to have gotten access to: Twitter Hacked!
  • Ev confirms an attack, but claims it was not an attack on Twitter and that no Twitter user accounts were compromised (TechCrunch.com)
  • TechCrunch gets a zipped file with 310 Twitter documents (TechCrunch.com)
  • Update: TechCrunch publishes a Twitter financial forecast document from February 2009 (TechCrunch.com)

So there. That’s the story so far. Wow. I just read it again. I’m not sure if this is the work of one hacker or several. The screenshots don’t look shop’d. Either way, I feel very badly for Ev. Having your account hacked is one thing, but his wife’s account was also hacked. It sucks when people target your family. And it looks like Hacker Croll was able to gain all of this access by correctly guessing passwords and security questions for email accounts. Hacker Croll certainly has some skills. From Hacker Croll:

What I would like to say is that even the biggest and the strongest do silly things without realizing it and I hope that my action will help them to realize that nobody is safe on the net. If I did this it’s to educate those people who feel more secure than simple Internet novices. And security starts with simple things like secret questions because many people don’t realise the impact of these question on their life if somebody is able to crack them.

How do you protect against someone being able to socially engineer their way into your account? I guess Ev, his family and the  Twitter employees will have to take extra steps at security for their personal email accounts. It sucks for them, but they’ll come out of this stronger. God luck, Ev. You’ve got my support.