Phishing attacks, which hit Twitter over the weekend, are a sign a service has arrived (Facebook has the same problem). But someone hacking into Twitter’s internal admin tools and compromising 33 high profile accounts, including President Elect Barack Obama, has Twitter users freaking out about what to do.
Here is Twitter’s official explanation:
This morning we discovered 33 Twitter accounts had been “hacked” including prominent Twitter-ers like Rick Sanchez and Barack Obama (who has not been Twittering since becoming the president elect due to transition issues). We immediately locked down the accounts and investigated the issue. Rick, Barack, and others are now back in control of their accounts.
What Happened?
The issue with these 33 accounts is different from the Phishing scam aimed at Twitter users this weekend. These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can’t remember or get stuck. We considered this a very serious breach of security and immediately took the support tools offline. We’ll put them back only when they’re safe and secure.
Most of us got a good chuckle out of the various messages that were left on the Twitter accounts for Barack Obama, Britney Spears, Bill O’Reilly and others this morning. But one other message came through loud and clear - Twitter is not yet ready for prime time, even though users continue to flock to the service.
See all
Post
If getting hacked means you are not ready for prime time neither is Facebook, MySpace nor a whole host of other social networks and Web 2.0 sites.
Good point.
and that means all the other ones did not get hacked are prime times?
http://groups.im/
I agree. All accounts from all websites are susceptible to being hacked; it’s just a user name and password. I assume a dictionary attack on the most popular one. The price you pay for being popular.
You dont make any sense! Just cuz they got hacked it means they’re not ready for prime time? lol
It does appear to be a bit short sighted to say that just because a service gets hacked, it is not ready for prime time.
Every major company, with enough popularity, is bound to have breaches in security at some point, whether they acknowledge so or not publicly.
Is there major room for improvement? Sure. But to say that Twitter isn’t ready for prime time because an individual hacked 33 accounts, just seems a bit odd.
Exactly.
Hackerz, please go to work on all these other big corporate sites.
Well, what were some of the other ones? I don’t Twitter, but I would like to know!
Nevermind, I see them in the previous TC post.
Those of us who have worked with the Twitter API from early days are very familiar with just how bad and insecure their code is. Up until recently, there was an obvious hole that allowed you to view any private message. They also previously had rather obvious holes with authentication, sessions and more (there was a really dumb hole where as long as you are logged in and had a valid session, you could emulate any other user).
So for a lot of people, hearing that there is yet another hole, but that this time the person who discovered it decided to screw around with the site rather than report it to twitter, is not a huge surprise.
I have discovered two big holes since Twitter launched, and know of at least 8-10 more that have been patched up.
Bad dev along with bad sys admin and architecture (downtime issues) makes me wonder how this site ever became so popular.
Bad dev, seems so. Bad network / sys management & architecture, oh god yes. How are they so popular? $20M in funding ought to do it.
Twitter’s lack of features - that users are calling for, poor API implementation (requing 3rd parties to store your credentials!) and scalability problems show its not ready for prime time.
The hack just shows the general population another reason….
Speaking of requiring third parties to store users credentials, as horrible as that is, Dave Winer has a new ‘idea’ that tries to fix it, but makes it 1000x worse:
http://www.scripting.com/stori.....ation.html
with ideas like that, I find it hard to believe that Winer had anything to do with RSS..
Anyone with clue will get a kick out of that post and his idea.
Ya I love getting tons of twitter spam in the form of iPhone offerings…
Why doesn’t TC keep me logged in anymore?
I don’t want to go through f connect.
It seems ‘GET BIG FAST!!’ Has made companies let their guards down. Happened to Hi5, Facebook and now Twitter. Mike, I hope you have reset your passwords!
Twitter is a gimmick. The real user (millions that use myspace) will never embrace it. It’s a fashionable gimmick for tech-savvy
I sincerely hope that the millions of people who use MySpace never flock to twitter. MySpace is the epitome of what’s wrong with the internet.
Amen
4chan…
How is a myspace user a “real user” and Twitter users are not? I guess, by your comment, you consider tech-savvy users to be an inconsequential user group. Yes, let’s not embrace technology! Instead, let’s gather around the myspace watering hole with all the other people who want to tell the world what music they listen to, how much they had to drink last night, and who slept with who. (In case you couldn’t tell!)
I wouldn’t want to believe it was another inside job by a disgruntled (ex)employee. How else would anyone know about this special tool they speak of?
Dictionary attack? They need only spam the site with directory / sub-domains or whatever to find a URL which appears as an administrative name (e.g. admin, wp-admin, manage, etc) and return the result when the header does not return a 404 code.
Thank God @scobleizer didn’t get hacked - tens of thousands of twitter users might have been inundated by spam and inane commentary, all under the name of scoble …
huh? oh wait a sec, I just had an epiphany here.
LOL! My first hearty laugh of the day!
@maremel
At least the “hacker” was obviously just having a bit of fun and wasn’t trying to do anything truly damaging. Childish though it may be, I got a good laugh from all of the fake tweets.
I disagree. I’d say this person exposed him or herself to significant liability for what they did today.
If the hacker who did this has half a peanut, they won’t be locating the perpetrator anytime soon
lets face it, they can barely keep a website up, let alone track a hacker. Probably don’t know where to even begin.
Not if it was the person who bought Twply, and got the employee admin credentials along with the purchase.
Mike I didn’t mean to downplay the seriousness of illegally breaking into another computer system. I just meant that he didn’t try to like take over the world or anything. He just made some jokes about some famous people.
Barack has not been twittering because of the trasition ? That is the biggest piece of carp I have heard this year.
Maybe he hasnt got enough time coa he s got 2 WoW accounts to take care of you know.
Look , you did good I admire you. But stop voicing carp because remember why Mccain lost ? Because he was doing just that.
Dude, I love Carp.
thank you, gave me a good laugh…
TechCrunch hasn’t ever been comprised in some way?
not like this.
plus, we’re a BLOG.
So… blog’s aren’t important?
You guys don’t even use HTTPS during authentication.
So, blogs are not ready to be considered not ready for prime time?
Tom, let us know when your TechCrunch user account gets hacked…
You sure?
aa. I get it, and yes I understood Arrington’s point about why hacking a service like Twitter is much more enticing than hacking a blog. My point was more that if anything, this is a sign that Twitter has made the primetime, and that Arrington’s change in attitude towards Twitter because of this sort of attack (which virtually every start-up without a password strength test is subject to) is a little over-the-top.
And, fake Michael Arrington, thanks for having my back.
My account was also hacked into, and I certainly wasn’t taken in by the phishing scam. Twitter did the right thing by announcing it and taking their tools offline; this kind of thing does happen in software development sometimes, and it’s best to be open about the issue.
They’ve certainly had their teething issues, but I think the “bad dev” comments above are unfair. They’ve had to get over some unique issues since they started to grow, and have dealt with them pretty well. The site has definitely matured over the last year.
Hi,
I’m a new Twitter.com user (564 followers) and Twitter has been my essential access to thought leaders in Web 3.0.
If you had access to Sir Richard Branson, Guy Kawasaki, Shoemoney, John Chow, Tyler Cruz, Darren Rowse and other genius bloggers / marketers would you enjoy free access to them?
I certainly have! Twitter put me in touch with BlogWorld executives, I was able to attend the Expo in September 2008 and meet some of the above in person, even had dinner with a few.
Don’t bash Twitter for being so popular. I would not be attending Affiliate Summit West for free if not for twitter.
Respectfully, Nicholas Chase
http://www.twitter.com/nachase
You sir, are everything this is wrong with the internet today. Go back to being a regional salesman for inkjet company so the real marketers and internet engineers can carry your ass through the 21st century.
bwahahahahahaha
you sir, win.
thank you.
Well said.
Genius bloggers? Fuckin douchebags.
Been using Twitter for a couple of months and following some “celebrities” for a while now. Yet to see something that will make me think they are a genius in their own right. Most of the times there are just links to their own websites. This comment is not an attack on Guy but just wondering where does this all lead to?
For bloggers like TC or Mashable it makes sense to post links to their latest articles and drive traffic. But, what sense does it make for somebody to just keep posting links to their site or other news sites and why would people deem them as a celebrity?
awww man!!.. how come MY TWITTER account wasn’t hacked into?!..
does this imply that im NOT famous?!
No, you are a p. o. s.
This is certainly a thorn for Twitter and users like myself, but unlike Facebook and MySpace, your Twitter account really doesn’t contain any personal information. Not that I’m downplaying the significance of this hack but I don’t feel as intruded upon with this one compared to the Facebook hack a couple weeks ago. Will be curious to see how Twitter deals with this from a PR standpoint…
Well its happened to a lot more than just 33 famous accounts. - I know if several non-famous people who have had comments sent to them complaining about the spamming direct messages, and such.
twitter - its bigger than you think.
All of this reminds me:
1) I’m not important enough to get hacked
(That I knew, alas)
2) I’m not connected enough to get more than one tainted DM this weekend
(*sigh*)
3) Twitter is, of course, still a start-up with no revenue but an amazing variety of also free lifehacking add-ons from the outside world that make it a Twitterverse.
4) I’ve gotten two major international business leads from my Tweets that I would not have gotten any other way…but had no illusions of a safe, closed system.
‘Tis just the beginning…
@maremel
hmmm…
how come MY Twitter didn’t get hacked?
Twitter says: “We’ll put them back only when they’re safe and secure.”
What does this mean? Didn’t they consider them to be “safe and secure” until this very incident? Why should we trust them again?
Once trust has gone, it won’t come back until Twitter employs a new security expert with scene credibility.
Actually, this is probably the best thing to ever happen to Twitter:
1. Lots of high profile twitters got attacked.
2. Their company was all over the news today (and this weekend).
3. Everyone is now talking about Twitter.
4. Those that weren’t hacked are crying about how they’re not relevant.
As they say: There’s no such thing as bad news.
Sites and webservices get hacked, it’s not a good reason to claim that “twitter is not ready”.
Sorry but this made me laugh to be honest… Yeah it sucks that they got hacked. But seriously who cares who got hacked, what is the different between a Barack account vs mine vs Joe Smoe vs a friend of mine who isn’t technical at all? I would surely hope that ‘nothing’ would be the answer. Hopefully the Twitter team gets it dealt with.
To step on the Barack’s account being hacked, I just have to laugh. I am hoping most people know that it isn’t actually Mr Obama updating Twitter. I know 5 or so people who worked on his campaign and knew where Obama was within a few hour block.
OMG! Get off the twitter bashing! It is a wonderful resource to get in touch with like minded professionals. I have met many health professionals and other Health 2.0 advocates via twitter. http://www.twitter.com/mydochub
Consider the damage done and assess whether twitter took a blow to its ability to offer a web-service. In my opinion they are fine. People took advantage of a vulnerability only to post up false and bogus updates.
I love the title, Twitter gets hacked, badly and then the image of a tweet stating “Bill O Riley is gay” as if that’s the worst kind of message coming from this particular hack.
I don’t think being Gay is that big a deal and it doesn’t reflect the “Badly” used in the title. Kind of homophobic.
I suppose someone managed to get access to their admin tools (perhaps by brute-forcing?). I don’t think they’re able to see passwords, but rather that there was a misuse of Rail’s mass-assignment feature (allowing the attacker to change any attributes associated with the particular account).
Just a guess.
What’s twitter? Never heard of it before, it’s not like you bang on about it every damn day…
These days I feel like i can’t even trust the name on a Twitter account. Anyone can pretty much register one to say whatever you want it to. I wouldn’t even think twice seeing a Fox News Twitter account that said B.O’R was gay - i’d just assume it was faked regardless.
None of these Social websites can protect themselves fully from these kind of attacks… There will always be some exploits that determined people will find and take advantage of…
Sad but true…
Bill O’Riley isn’t gay?
It just occurred to me…Twitter’s boilerplate (used in the above CrunchBase entry, and elsewhere) should be 140 characters or less.
As for the security breach, I think it is a rather quick rush to judgment to suggest that Twitter isn’t ready for prime time. Twitter is already in the prime time slot on the web, and far more mature sites in the top 20 have experienced much broader outages, breaches, and DoS, in recent months/years. This is part of being prime time.
So does linking twitter with your paypal account via TipJoy still seem like a good idea to anyone?
Hi, I’m cofounder of Tipjoy.
You don’t have anything to worry about. The phishing is a security hole in any website that accepts passwords. PayPal itself has had huge problems with it.
Not only do we monitor activity on twitter very closely (there wasn’t a single phished-account twitter payment), but we also, we audit every request to cash out. There is no way to get money instantly out of Tipjoy. We do this because we’re working on anti-fraud software. The delay is small, but enough for fraudsters to be stopped.
But you don’t have to take just our word on it. Founders and employees at twitter are using Tipjoy: http://bit.ly/tj_twt
Guys, don’t forget to create your twitter avatar with your own face from http://www.trutoon.com
Nothing Arrington puts on here will ever top this:
http://news.zdnet.co.uk/itmana.....252,00.htm
30,000 credit card numbers were stolen from eUniverse (parent company of MySpace) by a Russian.
They apparently weren’t even lightly encoded in the database.
Top this story and you should get a cookie. This was the most severe online retail compromise of all time.
I got hit with 56 Phishing DM in the last 24 hours.
I have to agree that this whole hacking thing has definitely done more good for Twitter than bad.
http://www.xy7millions.com
Bound to happen.
Twitter Follow
http://twitter.com/SocialWit
Hope they can fix the security issues fast!
I’m so bloody sick of twitter & lame twitter ’startups’ that a little public spanking is awesome.
Soon . . . maybe one day . . . we’ll all realize just how boring twitter is . . . sigh
i liked the other screenshot better that showed rick (dirty) sanchez as doing crack. but i guess the leftist tech community always wants to swipe at conservatives. #fail #getnewmaterial #boring
Breaking: who cares?
Has anyone heard of a tool called AirGut that can hack accounts? O.O
I hate “forgot password” scriptkiddies. Please note that this accounts where compromised by Ruby users, since twitter rewrote the system from scratch.
Video of the hack is on YouTube:
http://www.youtube.com/watch?v.....amp;fmt=18
I think the way Twitter handled this crisis is appalling. Anyway, I drew a cartoon to express what I think about this whole mess: http://www.jonin60seconds.com/.....hacks.html
How many times has this happened to Twitter again?