« Facebook Connected | Main | A River of TWiT »
Monday
Jan052009

Twitter Hacked

This morning at around 9am Pacific "under 50" of the most-followed Twitter users lost control of their accounts, including Barack Obama, CNN's Rick Sanchez, Fox News, and me. Both my password and the reset email address were modified. As far as I know the hacker didn't post on my account, but Fox News tweeted "Bill O'Reilly is gay" and Rick Sanchez announced that he was taking the day off because he was on crack. Twitter was quick to remove these spurious posts and block the hacker. But what really happened? I got this explanation from Twitter's John Adams, @netik, via Qik on my iPhone at the Tweetup at the 21st Amendment tonight. According to John, the hacker gained access to Twitters admin tools.
[qt:http://leoville.com/wp-content/uploads/2009/01/200901twitterhack.mov 480 400]
Scary.

Reader Comments (19)

Holy Moly! That is seriously scary.

On a similar note, I've seen some of the most popular UStreamers get hacked in the past week. I wonder what is in the air lately?

January 5, 2009 | Unregistered CommenterSuzanneSez

Well, I'm not one of the famous people and my account was hacked too. Not once but twice in 1 day.

January 5, 2009 | Unregistered Commentercntrysigns

Leo has cut out some of the discussion I had with him here, but, basically, an admin tool was abused allowing a rogue user to modify some accounts on Twitter. As described in our status blog at http://status.twitter.com" rel="nofollow">status.twitter.com, we have modified our site to restrict admin privileges to appropriate users and to prevent the abuse that allowed this attack to occur.

Please understand that our staff is on the job and we will do all we can to protect our users, and have dedicated a team of engineers to this issue.

Nice meeting you this evening, Leo.

January 5, 2009 | Unregistered Commenternetik

Leo has cut out some of the discussion I had with him here, but, basically, an admin tool was abused allowing a rogue user to modify some accounts on Twitter. As described in our status blog at http://status.twitter.com" rel="nofollow">status.twitter.com, we have modified our site to restrict admin privileges to appropriate users and to prevent the abuse that allowed this attack to occur.

Please understand that our staff is on the job and we will do all we can to protect our users, and have dedicated a team of engineers to this issue.

Nice meeting you this evening, Leo.

January 5, 2009 | Unregistered Commenternetik

it is no different to what people using windows operating system have been exposed to over the last few decades - with popularity comes traffic and an urge from those of the dark side of the force to corrupt and get some kind of status kick out of it. it should be expected as a by product of success.

Always someone out there wanting you to fall. :)

January 6, 2009 | Unregistered Commenterphil campbell

I really appreciated your openess, John. It's really good to know what happened. The full conversation is on Qik: http://qik.com/twit" rel="nofollow">http://qik.com/twit (along with other videos of the revelry last night). It was good meeting you too!

January 6, 2009 | Unregistered Commenterleolaporte

[...] hack was achieved by gaining access to the twitter admin tools, as confirmed by @netik in a video interview with Leo Laporte. While I am very encouraged by their transparency on the issue, it is a pretty [...]

[...] Leo Laporte has a great post about this as well as an interview with Twitter’s John Adams here.  The unedited video of that interview is here. addthis_url = [...]

[...] What really happened to Twitter today. leoville.com/2009/01/05/21740/ [...]

January 6, 2009 | Unregistered CommenterToday’s Tweets from Leo

[...] Article/Video Link [...]

Wish they would have posted that I got lucky. :-)

January 6, 2009 | Unregistered CommenterHoosierguy

[...] Twitter Hacked inc Leo [...]

Too bad, really. I was psyched that O'reilly had finally come out...

January 6, 2009 | Unregistered CommenterJ.R. Orci

Who's asking the questions? It doesn't sound like Leo's voice

January 6, 2009 | Unregistered CommenterFred

[...] doesn’t pretend nor try to be a universal authentication package. Twitter’s intent was never to let this happen. While their approach to security best practices may have been lacking, it’s still not their [...]

twitter been hacked? very scary about that thing happen. admin area is very sensitive and need to give an extra security after this. you can learn more to get a good care about security admin after this. keep it a good job team twitter....

January 7, 2009 | Unregistered CommenterMy Inventory Management

Twitter broke some very simple security rules: enforce complex passwords (especially for your admin accounts), and lock an account out after a certain number of failed attempts. The hacker used a simple dictionary password attack to break in.

What I really find deplorable is John's comment that obtaining the hacked users' real e-mail address from a backup would be "very time consuming." I think the very least you'd want to do for your most prominent users is to send them a new password so they can get back on Twitter ASAP. I'd understand if it were the hacked users that chose poor passwords, but it was Twitter's own staff that provided the security hole.

January 9, 2009 | Unregistered Commenterartanis

O'Reilly's membership would be rejected

we would not want to be associated with him

January 21, 2009 | Unregistered CommenterMarcC

[...] in the right direction but begs the question: why it took them so long to react to a series of account hijackings? Popular blogger Louis Gray has Twittered about scamsters setting roost on Facebook, but there [...]

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>