Twitter administrator account hacked, others compromised

It seems Twitter is still having its share of security trouble, because according to Cnet, a person by the name of Hacker Croll was able to hack into a Twitter administrator account, by guessing the secret question to reset the administrator's password on a Yahoo e-mail account where the Twitter password was located. This person was also able to view the details of 10 other accounts including Britney Spears and Ashton Kutcher according to screenshots posted to a French blog site.

Twitter co-founder Biz Stone said that while no account information was altered or removed in any way, email address, mobile phone number, and the list of accounts blocked by that user were viewed.

Twitter employee Jason Goldman tweeted on Wednesday that his Yahoo account has been hacked.

We at Neowin urge users to create strong, hard to guess passwords, and to be careful as to what information is revealed to people. Social engineering is an easy tool used to get personal information out of people. During the 2008 US Presidential election, the Yahoo mail account of Alaska Gov. Sarah Palin was compromised in a similar fashion, after a college student was able to answer the secret questions used on her personal account.

Report a problem with article
Previous Story

Microsoft Tag adds customization

Next Story

The White House gets social

43 Comments

Commenting is disabled on this article.

I wonder if the twitter admin has a blog on there?

"Hi everyone - just got promoted to admin. Pretty cool huh? I'll tell you more soon"

"My first big decision today: change my password to 123456. Boy do I love my power"

"Funny thing happened this morning, my password doesnt work. And I got a voice mail from Ashton - he is upset that millions and millions of his fans dont know what he had for breakfast"

"someone is play jokes on me. Putting pinks slips with YOU'RE FIRED!!! on it all over my desk"

"Anyone looking for a good system admin? I need a job"

"We at Neowin urge users to create strong, hard to guess passwords, and to be careful as to what information is revealed to people."

What would REALLY make sense is for us here on Neowin to encourage others NOT to use that twit infested site to begin with!!

Agreed. You'd think they would only allow it internally and then have a secure VPN or something similar setup to enable access remotely.

I really hate the use of secret questions and answers in security;even moreso when you have to select the question from a drop-down list.

All of your friends are going to know "Who is my favourite music band?" and if you make up a fake answer, how are you supposed to remember it?

There has to be a better alternative out there somewhere!

Lol, I just slam on my keyboard to fill in my secret question. I never tell anyone any of my passwords in any way and I will never forget any.

m.keeley said,
Clever, so when they ask you for your secret answer what do you do, slam on the keyboard again?

Oh god, both of those comments are the best!!

m.keeley said,
Clever, so when they ask you for your secret answer what do you do, slam on the keyboard again?

Why should anyone ask me if I don't forget my password?

I'm using alternate emails for most of the things. If they got into one account chances are low they also got into the other cause I tend to slam a little different every time.

My bank asks you one of a few security questions they asked you whenever you access their site from a browser without their authentication cookie in it.

So if you pressed random keys you'll have a good long time trying to get to your password box :P

lol, wow... these admins are noobs, its just funny, guessing folks secret question to reset their email etc is the oldest trick in the book and this could of been prevented :P

How dumb do you have to be to use an easily hacked password for anything remotely important? As for an admin doing it it is inexcusable. For Gmail, eBay etc I make sure to use a alphanumeric password of 15-20 characters.

You can use any answer for secret questions, doesn't have to make sense, there's nothing to stop you using lsghztaj for your mothers maiden name if you wanted. No need to make it easy for others.

People tend to think that they have to tell the truth when it comes to security questions which is why they can be the weak link. Even reversing the answer is too obvious really.

m.keeley said,
You can use any answer for secret questions, doesn't have to make sense, there's nothing to stop you using lsghztaj for your mothers maiden name if you wanted. No need to make it easy for others.

Except for those sites that actually ask for that information when you sign in sometimes or else they'll block you from signing in. o.O

@Justin: Don't understand, if you signup with your mothers maiden name as abcdef then you just use that if asked when signing in, they don't check to see whether it's a valid name.

m.keeley said,
@Justin: Don't understand, if you signup with your mothers maiden name as abcdef then you just use that if asked when signing in, they don't check to see whether it's a valid name.

Well, I usually just type in random stuff in there and hope that they never ask for it again. lol I think (and always have thought) that the "security" questions were stupid and an overall waste of time.

Secert Questions are pointless.
What school did you go to?
What was your pet's first name?
What is your mothers maiden name?

God, anyone close to you could get those questions. In fact anyone you meet in a bar and get in to a chat with, Could find those not very important details out in no time.
Need to tie things to likes on your mobile or something. Reset password gets sent to your mobile number as text message or something.

How about not giving real answers, or use a simple code? Like if your pets name was fred, make the answer joemailey-fred.

@up: Using a code would defeat the whole purpose of having an easy answer for something *random* only you would know.

Actually, why would an admin even have a security question? If an admin loses his password, he should pick up the phone and call the fellow admin to get it back.

Victor V. said,
Actually, why would an admin even have a security question? If an admin loses his password, he should pick up the phone and call the fellow admin to get it back.

He's a Twitter admin, not a Yahoo admin.

soldier1st said,
I agree that if you don't want it hacked then create strong passwords and sarah palin is hot not an idiot.

Both can go well with each other.

Nice way to insult someone for basically saying that they know a lot about her, because she is from their state, in the media, and was their governor....

pauldr777 said,
Being from alaska and having personally met her multiple times I have to vote you wrong on that one.

Meeting someone and knowing how they act in their own personal lives are two completely different cups of tea.

Let me say this: maybe by normal standards, she's not an idiot. But by President/Vice President standards, she's not the sharpest knife in the drawer.

That, and don't use Yahoo for your e-mail. :)

You'd think a Twitter employee would use the Twitter domain for e-mail ... ?!

Justin- said,
That, and don't use Yahoo for your e-mail. :)

I suspect these hacks had more to do with social engineering than some vulnerability specific to Yahoo.