Twitter’s Administrator Panel Hacked (

April 30th, 2009

Twitter’s Administrator Panel Hacked (Again)

Yesterday, a French hacker claimed to have gained access to Twitter’s administration panel, and based on the screen shots that he included featuring internal data for accounts belonging to U.S President Barack Obama, Britney Spears, Ashton Kutcher, and Lily Allen, as well as a detailed overview of different sections behind the scenes of Twitter.

The hacker going under the handle of Hacker Croll featured 13 screenshots of Twitter’s admin panel, and commented that “The images were taken from the Admin area that was secured with .htaccess.” It’s still unclear whether any data belonging to account holders was modified, but one has to assume that given the access obtained, there’s a high chance that he was able to download anything he wanted to.

The screenshots were obtained through the account of a Twitter employee who reported that his Yahoo! Mail account got compromised on the 27th. The attack comes two weeks after multiple variants of Mickeyy’s XSS worm hit the continuously growing micro-blogging service.

Interestingly, Hacker Croll goes into more details regarding the compromise on a different forum – “one of the admins has a yahoo account, i’ve reset the password by answering to the secret question. Then, in the mailbox, i have found her twitter password.” and that he “used social engineering only, no exploit, no xss vulnerability, no backdoor, no sql injection“.

The Twitter admin hack appears to be the result of a successful social engineering attack against one of Twitter’s employees — similar attack took place in January this year. Similar password reset attack contributed to the successful hacking of Sarah Palin’s personal email account in September last year.

Update (May 01): According to Twitter official announcement:

This week, unauthorized access to Twitter was gained by an outside party. Our initial security reviews and investigations indicate that no account information was altered or removed in any way. However, we discovered that 10 individual accounts were viewed during this unauthorized access.

Personal information that may have been viewed on these 10 individual accounts includes email address, mobile phone number (if one was associated with the account), and the list of accounts blocked by that user. We have personally contacted Twitter users whose accounts were compromised via this unauthorized access.

Password information was not revealed or altered, nor were personal messages (direct messages) viewed. Twitter takes security very seriously so we will be conducting a thorough, independent security audit of all internal systems and implementing additional anti-intrusion measures to further safeguard user data.

Credit: ZDNet.com Security Blogs

Share this item with others:

More on CyberInsecure:

Botnet Kit And Service Offered To Non-Techies

WordPress Cookie Integrity Protection Allows Unauthorized Access

Access To Hacked Government, Educational, Military Websites Sold On Underground Market

Serious Vulnerability In Private BitTorrent Trackers

WordPress Doorway Spam Attacks

Posted in Breaches And Incidents, Privacy, Targeted Attacks |

Print This Post

This entry was posted on Thursday, April 30th, 2009 at 5:15 pm and is filed under Breaches And Incidents, Privacy, Targeted Attacks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

If you found this information useful, consider linking to it from your own website.
Just copy and paste the code below into your website (Ctrl+C to copy)
It will look like this: Twitter’s Administrator Panel Hacked (Again)