Twitter Hack Exposed Accounts Of Obama, Others

A French hacker allegedly perpetrated the Twitter attack, claiming that he broke into the microblogging site's internal administration system, which gave him unfettered access to millions of Twitter users, including numerous celebrities' accounts. Altogether, the hack allowed the attacker to access e-mail addresses of compromised Twitter accounts, mobile phone numbers and the lists of accounts that the compromised users blocked.

The claim was reinforced by more than a dozen screenshots of Twitter's admin panel, which were uploaded to a French blog post, revealing that both Kutcher and Allen had blocked other Twitter users, including celebrity gossip-monger Perez Hilton, from contacting them. Meanwhile, the postings indicated that Obama had his own cadre of blocked Twitter users.

The hacker, going by "Hacker Croll," claims that he was able to access Twitter's administration panel after stealing login credentials from a Twitter staffer that were stored in a Web mail account. The hacker was able to guess the answer to the administrator's "secret question" based on the information provided from the Twitter login credentials, and then use the site's reset function to create a new password.

"Then they were pretty much able to do whatever they wanted," said Michael Argast, security analyst for Sophos.

Twitter confirmed the hack in a security blog, but said that no personal messages were viewed and that no passwords or "account information was altered or removed in any way." Twitter, however, said that 10 individual accounts were viewed, but that they personally contacted Twitter users whose accounts were compromised.

Twitter also said that it was conducting an independent security audit of all internal systems, while maintaining it planned to implement additional security measures to prevent further attacks.

Twitter did not immediately return inquiries from Channelweb.com.

The hacking incident recalls a similar attack on the Twitter site in January, in which the hacker broke into an administrative account after guessing the password "happiness" and subsequently defaced numerous celebrity accounts.

Argast said that Twitter attacks will likely become more prevalent as the microblogging site continues to undergo explosive growth.

"Twitter has been growing dramatically," Argast said. "It has a lot of users these days. They've been targeted by the bad guys to use their platforms to spread malware."

Argast said that this latest assault on Twitter could have been prevented had the administrator kept passwords someplace other than an easily accessed Web mail account.

"Storing credentials in a Web mail account -- bad idea. Web mail has poor password recovery mechanisms," he said.

Security experts also contend that using some kind of third-factor authentication mechanism, such as a hard token security device, also would have prevented the hackers from infiltrating the accounts, even if they figured out the password.

While Argast said that there was little users could do to protect their Twitter accounts from an administrative hack, there were a few precautions Twitter users could take to ensure their own security.

Argast said that users should ensure that their Twitter passwords are not also used to access other accounts, especially those with sensitive information such as bank account numbers. Users also are advised to make up a "fake" answer to a "secret question," or one that can't be independently researched online, he said.