Twitter security breach exposes accounts to hackers

A French hacker is claiming that he broke into Twitter’s internal administration system, giving him access to the accounts of millions of Twitter users including those of Barack Obama, Britney Spears, Ashton Kutcher and Lily Allen.

The claim appears to be confirmed by screenshot images uploaded to a French blog, giving a glimpse into Twitter’s admin panel and revealing that the likes of Kutcher and Allen have blocked other Twitter users such as celebrity gossipmonger Perez Hilton from contacting them.

Twitter admin hack

Although early media reports, suggested that Twitter has so far remained silent about the security breach, they have now published a brief blog entry about what occurred.

Sign up to our free newsletter.
Security news, advice, and tips.

Amongst the private information which was accessible by hackers was the email addresses of compromised accounts, mobile phone numbers (if one was associated with the account), and the list of accounts blocked by the affected user. You can probably understand why the typical celebrity would not want their email address and mobile phone number visible to unauthorised third parties.

It appears that the breach echoes an incident from earlier this year when a hacker broke into a Twitter administrator’s account after guessing that their password was the dictionary word “happiness”. That particular security lapse lead to a number of celebrity accounts being defaced.

In this latest case, the hacker (who uses the online handle “Hacker Croll”) claims that he was able to access Twitter’s administration panel after stealing a password from a staffer at the micro-blogging website. How did we get his paws on the password? By resetting the employee’s Yahoo password after guessing his “secret question” and finding the information about their Twitter login credentials inside.

As we’ve discussed many times before, choosing an easy-to-guess answer to your “secret question” can have serious consequences.

Although many will blame Twitter for not ensuring that its staff followed sensible policies to better secure critical administrator accounts, lets not forget that the real criminal here is Hacker Croll. They have acted illegally by breaking into these accounts, even if they didn’t do anything malicious when accessing the celebrity accounts.

It seems to me that Twitter’s internal security could be improved if staff were forced to log in using authentication tokens that provide a randomly generated key upon login, meaning that even if a staffer’s username and password is compromised hackers would not be able to gain access.

At the moment, if a Twitter employee loses their password, it seems hackers can run riot on the site and cause all sorts of problems. By making staff adopt the kind of hardware authentication keys that many online banking customers now need to use to login online (I have to use such a device when I log in to Sophos remotely, for instance), Twitter would make it far less likely that an attack like this could succeed.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.