Twitter Hack Details Revealed 222
Jack Spine writes "Twitter co-founder Biz Stone has confirmed both to ZDNet UK and Wired's Threat Level blog that a dictionary attack was used to hack Twitter. After the hacker distributed details on the Digital Gangster forum, celebrities such as Britney Spears and Barack Obama had their accounts defaced.
Wired spoke to the alleged hacker, while ZDNet UK got in contact with someone who had been on the Digital Gangster forum at the time."
Re:iam3prez (Score:2, Informative)
It wasn't Obama's account that got attacked. They attacked the account of a Twitter administrator, and then got access to the web-based control panel to reset Obama's password. Pretty lame that a) the admin had such a bad password and b) you can access the control panel from the public internet with the same login as your twitter account.
Comment removed (Score:5, Informative)
Re:iam3prez (Score:4, Informative)
Looks like you didn't actually read the article. The account of a twitter admin was hacked with a dictionary attack. That account was then used to reset the passwords for various other accounts (Fox News, Obama, Britney Spears, etc) to gain access to those accounts. The original passwords for those additional accounts were not obtained. Only one account (the twitter admin) was hacked, the rest just had their passwords reset.
Re:Compromise One Password, Compromise Them All (Score:5, Informative)
No passwords were compromised except for the admin account he used the dictionary attack on. So really, the GP's analysis of harm done is pretty accurate.
Re:Compromise One Password, Compromise Them All (Score:1, Informative)
Do you know anyone who uses the same password for everything?
Do you think Britney Spears might be one of those people? What about the President-Elect?
Bad security practices glom together and eventually snowball. In this particular case, the harm was likely de minimus but do you think the individuals whose accounts have been compromised thought to go change their password at their bank, or their email, or whatever?
You don't (probably) use the same key for your house and your care and your safety deposit box, but on the internet that's what a lot, maybe most, people do. It's a bad security practice. And if you can discover someone's password on one site due to that site's bad security practices, the security of other, responsible sites is moot.
It should be noted that, for the most part, sites will encode the users password with a salt/hash of some form. From the article:
After resetting the password for the account, he gave the credentials to five people.
So, for this level of attack, using the same password isn't so much an issue. You'd need a more involved level of access to get the unencrypted password and do some *real* damage.
Re:Compromise One Password, Compromise Them All (Score:2, Informative)
Many credit card companies offer a one-time-use credit card number you can use for online purchases. I find it invaluable for online shopping.
Re:Compromise One Password, Compromise Them All (Score:2, Informative)
Please RTFA before you post. Thank you. The accounts in question had their password reset to a random 12 character string that was then used to post fake tweets. Your comment is irrelevant.
Re:After all of this... (Score:3, Informative)
That's not why they want him to give it up. Federal alw says that all Presidential emails must be kept and can be used as evidence of wrongdoing. If he keeps his blackberry he's a fool.
Re:Compromise One Password, Compromise Them All (Score:3, Informative)