Twitter Hacked!

This is a translation of an article published in French, on the Korben.info website

twitter fail whale Hack de Twitter   La suite...

I’ve been contacted yesterday by the guy who have hacked Twitter. His pseudo his Hacker Croll (here is the initial reference to Hacker Croll, but in French) and explained to me that he was able to access to the various email boxes of the twitter employee including Evan Williams ones and his wife. This allowed him to have access to all a number of astonishing informations.

He had access to the Paypal, Amazon, Apple , AT&T, MobileMe and Gmail accounts of Evan Williams, Sara Morishige Williams, Margaret Utgoff and Kevin Thau (twitter employees)

Here are the snapshots that the hacker sent to me:

Evan Williams1 Hack de Twitter   La suite...

He was able to access to the Registar information of the Twitter domain name, and he could have been able to redirect twitter domain name to any other IP address (or simply steal the domain name)

Capture 1201 Hack de Twitter   La suite...

Capture 115 Hack de Twitter   La suite...

But the most incredible, was the quantity of internal information that he was able to get on Twitter:

  • the complete list of employees
  • their food preferences
  • their credit card numbers
  • some confidential contracts with Nokia, Samsung, Dell, AOL, Microsoft and others
  • direct emails with web and showbizz personalities
  • phone numbers
  • meeting reports (very informatives)
  • internal document templates
  • time sheet
  • applicant resumes
  • salary grid (time for me to move..lol)

But amongst all these information, you can see some funny things like:

  • the “possible” launch of a TV reality show where contestant will go across USA et will win contests thanks to their followers, with a 100 000$ price at the end (but for a nonprofit organization)
  • Some growing predictions that target 25 millions of users end of 2009, 100 millions ends of 2010, 350 millions ends of 2010…with revenue  that I will not disclose here…
  • A list of new star account like Wyclief Jean, DuranDuran, Cartoon Network, Cisco, UCLA, Guillaume Pepy (CEO of one of the biggest french company, the SNCF), Nirvana, Toshiba, 50 Cents,…. etc…

Capture 1101 Hack de Twitter   La suite...

  • The plan of their new offices with a list of whishes from the employee who would like a sleeping room, a playing room, plants, a chief cuisto, a meditation room, bicycle room, adjustable desks, sport room,washer/dryer, wifi, lockers, wine cellar, an aquarium and others…They seems to have imagination….

Capture 93 Hack de Twitter   La suite...

  • We learn also their idea about Twitter monetization…Of course, we’ve got certified accounts, but also advertising with the ability to put AdSense widget,  or sponsored tweets. Twitter whish also to be the first service to reach the billion of  users (which is highly probable). They defined themself more as a “nervous system” than an alert system.
  • We also learn that french president will soon use Twitter (@NicolasSarkozy ) and that Nicolas Princen which will do this.
  • And we’ve got also some “test” of t-shirt and cap designs

Capture 10621 Hack de Twitter   La suite...

Capture 1032 Hack de Twitter   La suite...

So Twitter has been visited by this hacker. Since then, everything is back to normal thanks to security recommendations:

Capture 1121 Hack de Twitter   La suite...

passwords have been changed. The information given by Hacker Croll is from beginning of may, but are still very instructive. In his mail, Hacker Croll explains the things to learn from this misadventure:

What I would like to say is that even the biggest and the strongest do silly things without realizing it and I hope that my action will help them to realize that nobody is safe on the net. If I did this it’s to educate those people who feel more secure than simple Internet novices.And security starts with simple things like secret questions because many people don’t realise the impact of these question on their life if somebody is able to crack them.

concerning me, I’ve put here only the information that are not against twitter because I am a big fan of Evan and his team works. I’ve just relayed some information of Hacker Croll and what I can tell to Twitter team is that this hacker seems to have a conduct code which will not give any prejudice to the company.

Now, clearly, we see from this hacking demonstration that it’s very easy to guess a simple password from a secrete question, and from this to enter into other account (Facebook, GMail and others) and from this enter in the heart of a company, both in accessing confidential data  but also by paralyzing business symply by getting a few domain names or admin accounts.

So, don’t stop to be paranoid. Don’t use secret question, use a different password for each of your account, don’t put inline sensible documents, etc… In short, be careful..

27 thoughts on “Twitter Hacked!”

  1. So we are supposed to buy into the sentiment that “Hacker Croll” has done us all a favor ? He/she has done little more than demonstrate a lack of hacker integrity by *not* doing any damage to Twitter, a company whose leadership ought to pay the price for taking a risk and losing. I don’t believe that Twitter could not have hired an Internet security specialist who could have easily foreseen this attack. Call me a cynic, but this all just smells like an elaborate publicity stunt.

  2. hey it seems that you are going to make Hacker Croll a celebrity,
    Every system has a loop hole and it can be repaired when someone finds the bug in it. So now twitter is safe.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>