Twitter Doc Theft – Details Revealed: Step By Step To How It Was Done

TechCrunch posted a great step by step account this morning that details almost exactly how Frenchman Hacker Croll (HC) was able to steal over 300 sensitive Twitter corporate docs, as well as gain access to numerous online accounts of several Twitter employees.

It’s a long article, but very interesting and if you have any interest in keeping a tight reign over the security of data that you keep online (email etc), you owe it yourself to give the TC post a thorough read. Now that we have details as to exactly what occurred and how it was done, my head is spinning with the myriad number of security issues raised by this incident. I plan to write a series of posts in the coming days discussing these issues in greater detail.

I quote here the TechCrunch summary of the attack:

1. HC accessed Gmail for a Twitter employee by using the password recovery feature that sends a reset link to a secondary email. In this case the secondary email was an expired Hotmail account, he simply registered it, clicked the link and reset the password. Gmail was then owned.
2. HC then read emails to guess what the original Gmail password was successfully and reset the password so the Twitter employee would not notice the account had changed.
3. HC then used the same password to access the employee’s Twitter email on Google Apps for your domain, getting access to a gold mine of sensitive company information from emails and, particularly, email attachments.
4. HC then used this information along with additional password guesses and resets to take control of other Twitter employee personal and work emails.
5. HC then used the same username/password combinations and password reset features to access AT&T, MobileMe, Amazon and iTunes, among other services. A security hole in iTunes gave HC access to full credit card information in clear text. HC now also had control of Twitter’s domain names at GoDaddy.
6. Even at this point, Twitter had absolutely no idea they had been compromised.

Source: TechCrunch

WOW! So many things jump right out at me from reading this, including:

1. Sloppy email and password account management by Twitter employees concerned
2. Dangers of mixing work and personal email activities
3. What kind of online footprint you leave by your public participation in social networks, and how vulnerable to attack that can make you (actually this is hinted at not from the above summary account but other details in the TC post)

More to come on this subject in the next few days.