This is a translation of an article published in French, on the Korben.info website
I’ve been contacted yesterday by the guy who have hacked Twitter. His pseudo his Hacker Croll (here is the initial reference to Hacker Croll, but in French) and explained to me that he was able to access to the various email boxes of the twitter employee including Evan Williams ones and his wife. This allowed him to have access to all a number of astonishing informations.
He had access to the Paypal, Amazon, Apple , AT&T, MobileMe and Gmail accounts of Evan Williams, Sara Morishige Williams, Margaret Utgoff and Kevin Thau (twitter employees)
Here are the snapshots that the hacker sent to me:
He was able to access to the Registar information of the Twitter domain name, and he could have been able to redirect twitter domain name to any other IP address (or simply steal the domain name)
But the most incredible, was the quantity of internal information that he was able to get on Twitter:
- the complete list of employees
- their food preferences
- their credit card numbers
- some confidential contracts with Nokia, Samsung, Dell, AOL, Microsoft and others
- direct emails with web and showbizz personalities
- phone numbers
- meeting reports (very informatives)
- internal document templates
- time sheet
- applicant resumes
- salary grid (time for me to move..lol)
But amongst all these information, you can see some funny things like:
- the “possible” launch of a TV reality show where contestant will go across USA et will win contests thanks to their followers, with a 100 000$ price at the end (but for a nonprofit organization)
- Some growing predictions that target 25 millions of users end of 2009, 100 millions ends of 2010, 350 millions ends of 2010…with revenue that I will not disclose here…
- A list of new star account like Wyclief Jean, DuranDuran, Cartoon Network, Cisco, UCLA, Guillaume Pepy (CEO of one of the biggest french company, the SNCF), Nirvana, Toshiba, 50 Cents,…. etc…
- The plan of their new offices with a list of whishes from the employee who would like a sleeping room, a playing room, plants, a chief cuisto, a meditation room, bicycle room, adjustable desks, sport room,washer/dryer, wifi, lockers, wine cellar, an aquarium and others…They seems to have imagination….
- We learn also their idea about Twitter monetization…Of course, we’ve got certified accounts, but also advertising with the ability to put AdSense widget, or sponsored tweets. Twitter whish also to be the first service to reach the billion of users (which is highly probable). They defined themself more as a “nervous system” than an alert system.
- We also learn that french president will soon use Twitter (@NicolasSarkozy ) and that Nicolas Princen which will do this.
- And we’ve got also some “test” of t-shirt and cap designs
So Twitter has been visited by this hacker. Since then, everything is back to normal thanks to security recommendations:
passwords have been changed. The information given by Hacker Croll is from beginning of may, but are still very instructive. In his mail, Hacker Croll explains the things to learn from this misadventure:
What I would like to say is that even the biggest and the strongest do silly things without realizing it and I hope that my action will help them to realize that nobody is safe on the net. If I did this it’s to educate those people who feel more secure than simple Internet novices.And security starts with simple things like secret questions because many people don’t realise the impact of these question on their life if somebody is able to crack them.
concerning me, I’ve put here only the information that are not against twitter because I am a big fan of Evan and his team works. I’ve just relayed some information of Hacker Croll and what I can tell to Twitter team is that this hacker seems to have a conduct code which will not give any prejudice to the company.
Now, clearly, we see from this hacking demonstration that it’s very easy to guess a simple password from a secrete question, and from this to enter into other account (Facebook, GMail and others) and from this enter in the heart of a company, both in accessing confidential data but also by paralyzing business symply by getting a few domain names or admin accounts.
So, don’t stop to be paranoid. Don’t use secret question, use a different password for each of your account, don’t put inline sensible documents, etc… In short, be careful..