Report: Hacker broke into Twitter e-mail with help from Hotmail
'Hacker Croll' spills details to TechCrunch, site that published internal Twitter docs
Computerworld - The hacker who stole confidential Twitter documents used a feature of Microsoft's Hotmail to hijack an employee's work e-mail account, the site that has published some of the Twitter documents said Sunday.
According to TechCrunch, the Web site that last week broke the story about the Twitter breach and has posted some of the stolen information, the hacker calling himself Hacker Croll took advantage of poor password practices, Hotmail's inactive account feature and personal information on the Web to pinch hundreds of Twitter documents.
TechCrunch said it convinced Hacker Croll to divulge the details of his attack, and over the course of several days' conversations was able to piece together not only the original breach, but how some information he obtained allowed him to compromise the e-mail accounts of Evan Williams, Twitter's CEO, and one of its co-founders, Biz Stone.
Hacker Croll first jacked the personal Gmail account of a Twitter employee -- last week Stone identified the person as an administrative assistant with the company -- by resetting the account's password. To do that, Hacker Croll had to answer one or more personal questions used to authenticate the user. According to TechCrunch, Hacker Croll had previously researched this employee, and others at Twitter, by digging through the Internet for likely responses.
Security experts last week speculated that the same process used by a Tennessee college student to break into Alaska Gov. Sarah Palin's Yahoo e-mail account was at the root of the Twitter breach.
"[This was] about weak passwords that are easily guessable, with a huge contribution from people's habit of putting online information that they wouldn't otherwise share with anyone but their closest friends," Sam Masiello, vice president of information security at MX Logic said last week in an interview. "It's not hard to crack [password resets] with the information you can find freely available on social networking sites."
At that point, although Hacker Croll had control of the Twitter employee's personal Gmail account, he could not hide his tracks, as the user would have quickly known something was amiss the next time he or she tried to log on to Gmail, and was rebuffed.
"On requesting to recover the password, Gmail informed [Hacker Croll] that an email had been sent to the userÄôs secondary email account," wrote TechCrunch's Nik Cubrilovic. "Gmail offered a hint as to which account the email to reset the password was being sent to, in case the user required a gentle reminder. In this case the obfuscated pointer to the location of the secondary email account was ******@h******.com."
Hacker Croll deduced that the account was on Hotmail, and then attempted to recover the password on that account as well. The Hotmail account was inactive, however -- a Microsoft practice designed to recycle dormant accounts -- which allowed him to register the inactive Hotmail account. He returned to Gmail and again went through the password recovery process, specifying a password of his own. The new password was then sent to the just-hijacked Hotmail account. "Within a few moments [Hacker Croll] had access to the personal Gmail account of a Twitter employee," explained Cubrilovic. "The first domino had fallen."



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Protecting Point of Sale Systems from Targeted Attack
- If you are responsible for protecting retail systems, download this case study to learn how this retailer eliminated the threat of malware on...
- From the Frontline - Preventing APT
- Is your company's network secure? Are your endpoints and servers secured? Before you answer, read this case study on a US Military Command...
- Stop Hackers Before They Attack
- Hacktivism, Identify Theft, Financial Gain, Cyber War - regardless of motivation, stopping today's hackers requires a new proactive approach to protecting endpoints. Learn...
- The four rules of complete web protection
- As an IT manager you've always known the web is a dangerous place. But with infections growing and the demands on your time...
- Protecting personally identifiable information
- This white paper examines the challenges organizations face and the steps they can take to protect themselves and their customers against data breaches... All Cybercrime and Hacking White Papers
- WikiLeaks: How am I Affected?
- The latest WikiLeaks episode has raised questions about how organizations and governments protect their sensitive information. While this incident was isolated, it has...
- Optimizing Networks for the Cloud
- Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and...
- Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere
- Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as...
- Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere
- Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and...
- Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware
- Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn... All Cybercrime and Hacking Webcasts