Back in May, Twitter was hacked by someone who got into the accounts of several Twitter employees and then gained access to high-profile accounts such as those of Britney Spears and Ashton Kutcher. The breach was the work of someone going by the name Hacker Croll, who posted the compromised screen shots on a French message board. Now more screenshots attributed to the same hacker have popped up on another French site (rough translation here).
According to the post, Hacker Croll was able to compromise the Twitter accounts of founder Evan Williams, his wife, and several employees. Using password recovery techniques, Hacker Croll claims he gained access to various Paypal, Amazon, Apple , AT&T, MobileMe and Gmail accounts. I emailed Evan Williams asking about the breach. He confirms:
Yes, we did suffer an attack a few weeks ago and are familiar with this list of stuff. This is unrelated to the hack of twitter where someone gained access to user’s accounts. This had nothing to do with the security of twitter.com, and there were no user accounts compromised here.
Some notes:
- He did not actually gain access to my @ev Twitter account (or any Twitter accounts) nor any administrative functions of the site.
- There is also no evidence that he gained access to my email. There was one administrative employee who’s email was compromised, as was my wife’s Gmail account, which is where he got access to some of my credit cards and other information.
- He also successfully targeted a couple other employees personal accounts (Amazon, AT&T, Paypal…)In general, most of the sensitive information was personal rather than company-related. Obviously, this was highly distressing to myself, my wife, and other Twitter employees who were attacked. It was a good lesson for us that we are being targeted because we work for Twitter. We have taken extra steps to increase our security, but we know we can never be entirely comfortable with what we share via email.
Above and below are purported screenshots of Williams’ accounts on Twitter, Gmail, and GoDaddy. He claims he was able to access Twitter’s domain name account on GoDaddy and could have redirected the traffic to another IP address (I’m sure that would have worked for about three minutes). The Gmail access, if true, would have been more troubling. Once the hacker got into @ev’s Gmail account, password recovery for other accounts was easy. He claims to have gained access to some internal documents, including projections for reaching 25 million users in 2009, 100 million in 2010, 350 million in 2010, and an outlandish goal to eventually become the first Internet service to reach one billion users. So maybe some corporate information was compromised.
Here is a list of some of the other things he claims to have found out, along with screenshots below, the last being a plan for Twitter’s new office space, including a sleeping room, a playing room, greenhouse, a meditation room, bicycle room, gym,washer/dryer, wifi, lockers, wine cellar, and an aquarium. Twitter moved into its new digs in July (the accounts were compromised in May, which is when all of this information dates from):
- the complete list of employees
- their food preferences
- their credit card numbers
- some confidential contracts with Nokia, Samsung, Dell, AOL, Microsoft and others
- direct emails with web and showbizz personalities
- phone numbers
- meeting reports (very informatives)
- internal document templates
- time sheet
- applicant resumes
- salary grid (time for me to move..lol)
Who knows if any of this is true (there are no actual screenshots of the corporate documents), but it is enough to make any executive wary of living too much in public.
i’m sure he’s thrilled you used his fb account pic and not his twitter account for the image… saraishot.com – lol
I know… thats rather ironic! It made me think that the hacker did something to his account, but they didn’t!
There is nothing to stop these hackers?
The only way to have 100% security for your personal data is to never be born.
dollars to doughnuts this had NOTHING to do with a hack, but was pure social engineering.
Stopping social engineering is difficult, as it assumes that no one in your org is a putz.
I don’t know about that. Security of your data isn’t the endgame (you lost) you think it is.
I have made it so that no one can usefully use my data but me.
What good is it to know my digits if I have rendered those digits useless to anyone but me?
Live an open life. Then you have nothing to fear.
Or live like a selfish chipmunk hoarding and guarding.
I wonder hoe they were able to hack into Evan’s gmail account with only Twitter details?
May be the same login credentials in both the accounts!
Given that this was an attack against Ev and not against Twitter, which would be somewhat news worthy, all you do by making this post is give the kid the e-fame he is looking for.
he hacked all of these places and forgot to reveal their evil MONETIZATION PLAN? FAIL!
you cant find something that doesn’t exist…
lol
You, Sir, are HOT.
nice info…
good news…
Wow, I can’t wait till all my data is in the cloud.
How is it that you are always one of the first to post?
“100 million in 2010, 350 million in 2010″ ? Should this read “100 million in 2010, 350 million in 2011″?
Damn. Sometimes I feel so bad for Twitter. They always seems to have tough luck with stability and security. Hard to imagine this happening with the leaders of Google or Facebook but I am certain it does, they just keep it under wraps.
I realize this isn’t actually Twitter’s fault but if an executive’s private information is compromised then it is certainly a problem for the organization.
What program did Twitter use for laying out their office space?
wow I am surprised he did not re-route the dns of twitter.com, that takes several hours to a few days to fully propagate throughout the interwebs…
interesting.
I don’t think he really wanted to do any damage, just a proof-of-concept.
LOL
So where is that salary grid posted?!
getting owned by the french smh
test
That kind of sucks
it seems like intense social networking gradually gave way to hacking. I am not very surprised here. Hacking biggies’ accounts has happened before. A 100% foolproof system against hacking is yet to be developed
This is interesting. I wonder what is that “password recovery technique”? And how did Hacker Croll hacks the accounts?
http://en.wikip...ssword_recovery
wives are huge security breaches
That makes me lol
yes indeed!
What I don’t understand is this. So the hacker broke into the “Twitter” system yes? Why was all this personal information associated with that system? What it really comes down to is that Evan had his Gmail account password set to “ilovetwitter”, and foolishly kept tons of super top secret information in it. Rather than internally.
Wow, that is amazing.
Good. Hacker Croll goes by ethics
http://www.upal...cc/hacking.html
It would be terribly immoral to post stolen information at TechCrunch. If people would simply exercise a tad bit of morality, hackers would not have such a field day, messing up the Internet. So sad that TechCrunch plans to publish STOLEN information. No better than the hacker. Shame, shame, shame.
Let us know which security steps you employed in order to make it more difficult to be attacket!
It wouldn’t surprise me if Twitter released this stuff as a publicity stunt. The more I think about it, the more likely I think this is the case. Too much of a legal headache to post this kind of stuff and can’t imagine it would be worth it.
I like very much the writings and pictures and explanations in your adress so I look forward to see your next writings.
To provide useful information, please click to view
Bose headphones
ghd Hair Straightener
Women is Dakota
Sundance UGG Boots
Thank you!