Admin account of the Twitter hacked through Social Engineering
Another attack on the micro-blogging platform Twitter, last week, a hacker obtained access to a Twitter administrative account and subsequently leaked private information from ten profiles, including some belonging to the most popular celebrities.
"I've just hacked twitter.com yesterday in the afternoon and i've got a full access to the Admin Panel that was secured with .htaccess," someone going by the handle of Hacker Croll wrote on April 29 across several message boards. Initially dismissed by those communities as being untrue, the claim was confirmed by Twitter on the following day.
The hacker used social engineering in order to obtain the password of Jason Goldman, director of product management at Twitter. "One of the admins has a yahoo account, i've reset the password by answering to the secret question. Then, in the mailbox, i have found her twitter password," Hacker Croll explained.
The e-mail hack was confirmed by Jason Goldman, who posted several messages on Twitter while it was happening. "Wow – my Yahoo mail account was just hacked," "I think I'm back in! Caught it before I couldn't restore from the other email addresses on file," "Wait! We're in a tug of war over control of the account. This is nuts. I hope I win," "Uh-oh. Got some kinda Y! Mail grey screen of death. I'm getting pwnd!," "If anyone with Yahoo Security is out there, hit me up with an @reply," they read.
The hacker obtained access to administrative tools, which allowed him to see the e-mail addresses and IP addresses used to register any account, the last IP address used to log in, as well as the list of users blocked from sending messages to those accounts.
"Twitter takes security very seriously, so we will be conducting a thorough, independent security audit of all internal systems and implementing additional anti-intrusion measures to further safeguard user data," Twitter co-founder, Biz Stone, wrote on the company's blog after the incident. However, many security professionals remain skeptic about such claims and consider that the flood of attacks, which hit the service this year alone, is suggesting a more serious underlying problem with its security practices.
In fact, at the beginning of January, a hacker calling himself GMZ hijacked the account of another administrator and posted fake messages impersonating the likes of Britney Spears, Barack Obama, Rick Sanchez, or Fox News. GMZ claimed that he had obtained access to the administrative account by executing a brute-force dictionary attack, which was successful because of the weak password – "happiness."