Twitter Hacked

This morning at around 9am Pacific “under 50” of the most-followed Twitter users lost control of their accounts, including Barack Obama, CNN’s Rick Sanchez, Fox News, and me.
Both my password and the reset email address were modified. As far as I know the hacker didn’t post on my account, but Fox News tweeted “Bill O’Reilly is gay” and Rick Sanchez announced that he was taking the day off because he was on crack. Twitter was quick to remove these spurious posts and block the hacker. But what really happened?

I got this explanation from Twitter’s John Adams, @netik, via Qik on my iPhone at the Tweetup at the 21st Amendment tonight. According to John, the hacker gained access to Twitters admin tools.

[qt:http://leoville.com/wp-content/uploads/2009/01/200901twitterhack.mov 480 400]

Scary.

19 Replies to “Twitter Hacked”

  1. it is no different to what people using windows operating system have been exposed to over the last few decades – with popularity comes traffic and an urge from those of the dark side of the force to corrupt and get some kind of status kick out of it. it should be expected as a by product of success.Always someone out there wanting you to fall. 🙂

  2. Holy Moly! That is seriously scary. On a similar note, I've seen some of the most popular UStreamers get hacked in the past week. I wonder what is in the air lately?

  3. Leo has cut out some of the discussion I had with him here, but, basically, an admin tool was abused allowing a rogue user to modify some accounts on Twitter. As described in our status blog at status.twitter.com, we have modified our site to restrict admin privileges to appropriate users and to prevent the abuse that allowed this attack to occur. Please understand that our staff is on the job and we will do all we can to protect our users, and have dedicated a team of engineers to this issue.Nice meeting you this evening, Leo.

  4. Leo has cut out some of the discussion I had with him here, but, basically, an admin tool was abused allowing a rogue user to modify some accounts on Twitter. As described in our status blog at status.twitter.com, we have modified our site to restrict admin privileges to appropriate users and to prevent the abuse that allowed this attack to occur. Please understand that our staff is on the job and we will do all we can to protect our users, and have dedicated a team of engineers to this issue.Nice meeting you this evening, Leo.

  5. twitter been hacked? very scary about that thing happen. admin area is very sensitive and need to give an extra security after this. you can learn more to get a good care about security admin after this. keep it a good job team twitter….

  6. Twitter broke some very simple security rules: enforce complex passwords (especially for your admin accounts), and lock an account out after a certain number of failed attempts. The hacker used a simple dictionary password attack to break in. What I really find deplorable is John's comment that obtaining the hacked users' real e-mail address from a backup would be “very time consuming.” I think the very least you'd want to do for your most prominent users is to send them a new password so they can get back on Twitter ASAP. I'd understand if it were the hacked users that chose poor passwords, but it was Twitter's own staff that provided the security hole.

Comments are closed.