IT security and control firm Sophos is advising that Twitter
hardens its security as a French hacker claims he broke into
Twitter's internal administration system, enabling him to access
the accounts of millions of Twitter users - including Barack Obama,
Britney Spears, Ashton Kutcher and Lily Allen.
The hacker - known as 'Hacker Croll' - claims that he was able
to access Twitter's internal administration system after stealing a
password from a staffer at the micro-blogging website. It is
alleged that by resetting the employee's Yahoo password after
guessing his 'secret question', Hacker Croll found the information
about the staffer's Twitter login credentials.
Claims appear to be confirmed by screenshot images uploaded to a
French blog, which give a glimpse into the micro-blogging site's
admin panel revealing that the likes of Kutcher and Allen have
blocked other Twitter users, such as celebrity gossipmonger Perez
Hilton, from contacting them. Amongst the private information
accessible was the email addresses of compromised accounts, mobile
phone numbers (if one was associated with the account), and the
list of accounts blocked by the affected user.
"This is just the latest in a string of security issues at
Twitter in recent months, and the website is surely in danger of
losing the confidence of its users who will be rattled by yet
another breach," said Graham
Cluley, senior technology consultant at Sophos. "Just like with
the recent Twitter worm outbreaks, this is not so much a case of
Twitter raising awareness amongst its many users about sensible
online security, but learning a few lessons itself. Careless
security by the micro-blogging site could potentially put millions
of Twitter users at risk."
Sophos advises that Twitter's internal security could be
improved if staff were forced to log in using authentication tokens
that provide a randomly generated key upon login, meaning that even
if a staffer's username and password is compromised hackers would
not be able to gain access.
"If a Twitter employee loses their password, it seems hackers
can run riot on the site and cause all sorts of problems. By making
staff adopt the kind of hardware authentication keys that many
online banking customers now need to use to login online, Twitter
would make it far less likely that an attack like this could
succeed," explained Cluley. "Let's not forget, although many will
blame Twitter for not ensuring that its staff followed sensible
policies to better secure critical administrator accounts, the real
criminal here is Hacker Croll."
Read Graham Cluley's blog to learn more about the Hacker Croll
attack on Twitter