Those of you who read TechCrunch on a regular basis will be familiar with their on-going reporting of the recent attack on twitter. Back in May when the story first broke it was unclear exactly what had happened and there was lots of speculation of how the attack occurred. The CEO of Twitter Evan Williams commented on the story saying that Twitter itself had not been affected and that most of the sensitive information was personal rather than company related.  The guy behind the attack (known as Hacker Croll) was unhappy with this comment, lots of Twitter corporate information had been compromised. So in response to the comment he sent 310 confidential documents to TechCrunch.  There were various posts, comments, tweets and discussion on TechCrunch about these documents and what TechCrunch should do with them.

Earlier this week TechCrunch published more details of the attack.  They spoke with the attacker to find out how the attack took place and what was the scope of it. They also spoke with Twitter and gave them time to close all of the security holes before publishing the story. Here is a brief summary of what happened:

• The hacker first collected as much information as he could find on Twitter employees which enabled him to build a profile of each employee.

• The hacker gained access to the Gmail account of a Twitter employee. He did this by using the password recovery feature of Gmail that sends a reset link to a secondary email. This feature shows you an obfuscated version of your email address a reminder as to what your secondary email address is. In this case the address shown was "******@h******.com". So based on the profile information he had already collected for this employee he was able to make an educated guess as to what the email address was. At this point the Hacker Croll got lucky, this hotmail address has expired so he just registered it, clicked the link and reset the password.  

• Now that the hacker had access to the Gmail account he searched for emails containing a password and found the same password contained in a number of emails. These were emails from various services that the owner of the Gmail account had signed up for. So he changed the users Gmail password to this password. Once again he got lucky turns out this was the correct password. So now the owner of the Gmail account did not know that someone else had access to their account.

• With access to his email and knowledge of the users standard password it was only a matter of time before Hacker Croll had access to the employee's Twitter email on Google Apps, AT&T, MobileMe, Amazon, iTunes and control of Twitter's domain names at GoDaddy. He also had access to full credit card information in clear text due to a security hole in iTunes.

If you have the time I would recommend reading the full article on TechCrunch as they go into greater detail on the attack and the attackers motives. This is not my first Blog post about incidents where the security of an organisation has been compromised by something or someone outside of their direct control. In the case of Twitter the security of an employees personal Gmail account was compromised and as a result the security of an entire organisation was compromised.  Earlier this year we reported how 2,100 Irish email addresses had been published along with passwords for a website. This list of email addresses included Gmail, Hotmail, banking institutions, universities and HSE addresses. I finished that post with 3 web security lessons that we could learn from the incident. These 3 points are also relevant here.

• Do not use the same password for multiple sites. I know I use 'levels' of passwords, when I sign up for something trivial but it requires an account I use one particular password which I do reuse, however any sites that hold credit card data or my email accounts all use different, strong passwords.
• Only use your work email address for work related sites.
• No matter how much emphasis you place on your personal online security you and your online reputation are still at risk when your details are trusted to others

 

Is there anything else we should learn from the Twitter attack?

 

Dave

--

If you liked this article then you should subscribe to our Blog RSS feed.

 

Related Blog Posts:

• List of Irish email addresses made public.
• Gumblar.cn has compromised 60,000 websites
• Gumblar - What is it? How to I remove it?
• Stolen laptop contains account details for 75,000 Bord Gais customers.