How celebrity Twitter accounts were hacked, and how it can be stopped in future

Graham Cluley
Graham Cluley
@[email protected]

Wired has published details of how a hacker managed to hack into Twitter’s internal systems earlier this week, opening the door for criminals to break into the Twitter accounts of the likes of Britney Spears, Fox News and Barack Obama.

The teenage hacker, who uses the online handle GMZ, claims he gained entry to the micro-blogging site’s administrative control panel by using a dictionary password guesser at a Twitter staffer’s account.

Unfortunately for Twitter and its hacked users, the staff member had chosen the dictionary word “happiness”.

Sign up to our free newsletter.
Security news, advice, and tips.

Wired has published a YouTube video made by GMZ, demonstrating the hack in action. Unfortunately the quality of the video capture is very low, but it does appear to demonstrate that any account was accessible.

As their video is so poor, we made our own rather different video to show you the impact of having your Twitter account hacked (with err.. apologies to Danny Kaye):

GMZ claims that he did not use other hacked accounts himself, but posted a message on a hacking forum offering access to any Twitter account by request.

What lessons can be learnt from this?

Firstly, you should never use an easy-to-guess password to secure your online website accounts. Using a dictionary word like “Happiness” shows a complete lack of knowledge about how to use computers safely. Twitter could help avoid this problem by insisting that passwords are not known dictionary words, or forcing the use of numbers and other characters (such as underlines, exclamation marks and percentages) in users’ chosen passwords.

Secondly, Twitter and other websites should be able to tell when hackers are trying to brute-force their way past a password. GMZ says he ran his automatic password guessing program overnight before it finally broke its way in. There’s no reason why Twitter couldn’t, say, notice that someone has entered the wrong password three times in a row, and then insist they wait 15 minutes before trying to log in again.

If you use Twitter, don’t be a twit. Make sure that you are using a sensible hard-to-crack password today.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.