Daily cyber threats and internet security news: network security, online safety and latest security alerts
April 30th, 2009

Twitter’s Administrator Panel Hacked (Again)

Yesterday, a French hacker claimed to have gained access to Twitter’s administration panel, and based on the screen shots that he included featuring internal data for accounts belonging to U.S President Barack Obama, Britney Spears, Ashton Kutcher, and Lily Allen, as well as a detailed overview of different sections behind the scenes of Twitter.

The hacker going under the handle of Hacker Croll featured 13 screenshots of Twitter’s admin panel, and commented that “The images were taken from the Admin area that was secured with .htaccess.” It’s still unclear whether any data belonging to account holders was modified, but one has to assume that given the access obtained, there’s a high chance that he was able to download anything he wanted to.

The screenshots were obtained through the account of a Twitter employee who reported that his Yahoo! Mail account got compromised on the 27th. The attack comes two weeks after multiple variants of Mickeyy’s XSS worm hit the continuously growing micro-blogging service.

Interestingly, Hacker Croll goes into more details regarding the compromise on a different forum – “one of the admins has a yahoo account, i’ve reset the password by answering to the secret question. Then, in the mailbox, i have found her twitter password.” and that he “used social engineering only, no exploit, no xss vulnerability, no backdoor, no sql injection“.

The Twitter admin hack appears to be the result of a successful social engineering attack against one of Twitter’s employees — similar attack took place in January this year. Similar password reset attack contributed to the successful hacking of Sarah Palin’s personal email account in September last year.

Update (May 01): According to Twitter official announcement:

This week, unauthorized access to Twitter was gained by an outside party. Our initial security reviews and investigations indicate that no account information was altered or removed in any way. However, we discovered that 10 individual accounts were viewed during this unauthorized access.

Personal information that may have been viewed on these 10 individual accounts includes email address, mobile phone number (if one was associated with the account), and the list of accounts blocked by that user. We have personally contacted Twitter users whose accounts were compromised via this unauthorized access.

Password information was not revealed or altered, nor were personal messages (direct messages) viewed. Twitter takes security very seriously so we will be conducting a thorough, independent security audit of all internal systems and implementing additional anti-intrusion measures to further safeguard user data.

Credit: Security Blogs

Share this item with others:

More on CyberInsecure:
  • Botnet Kit And Service Offered To Non-Techies
  • WordPress Cookie Integrity Protection Allows Unauthorized Access
  • Access To Hacked Government, Educational, Military Websites Sold On Underground Market
  • Serious Vulnerability In Private BitTorrent Trackers
  • WordPress Doorway Spam Attacks

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Twitter’s Administrator Panel Hacked (Again)

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.