Hacker Croll details how he hit Gmail account of Twitter employee that led to last week's incident
Nik Cubrilovic wrote on the TechCrunch website, that posted the documents after they were taken from a Google Mail account by ‘Hacker Croll', that when the story first broke the true scope of what had taken place and how it occurred was not understood.
Cubrilovic said: “Various bloggers speculated about the cause of the attack - with some placing the blame on Google while others blaming the rising trend of hosting documents in the cloud.”
The article claimed that "Hacker Croll was successful by using the same combination of patience, sheer determination and somewhat elementary methods to gain access to a frightening number of accounts and services related to Twitter and Twitter employees."
In the case of the Twitter attacks, public information allowed him to create a catalogue of data that included a list of employee names, their associated email addresses and their roles within the company. He was also able to find and log information such as birth dates, names of pets and other seemingly innocent pieces of data.
The article also claimed that forgotten password links and detection of a user who used static passwords across several websites, allowed him to get the password easily. It stated: “On requesting to recover the password, Gmail informed him that an email had been sent to the user's secondary email account. In an effort to balance usability with security, Gmail offered a hint as to which account the email to reset the password was being sent to, in case the user required a gentle reminder.”
At Hotmail, Hacker Croll again attempted the password recovery procedure - making an educated guess of what the username would be based on what he already knew. Finding that the hotmail account was dormant, he registered the account, re-requested the password recovery feature at Gmail and within a few moments had access to the personal Gmail account of a Twitter employee.
Once he had the login and static password, Hacker Croll then used the same combination and reset features to access AT&T, MobileMe, Amazon and iTunes, among other services. A security hole in iTunes gave him access to full credit card information in clear text.
When asked by TechCrunch for a comment, Hacker Croll said: “I would like to offer my personal apology to Twitter. I think this company has a great future ahead of it.
"I did not do this to profit from the information. Security is an area that fascinated me for many years and I want to do my job. In my everyday life, I help people to guard against the dangers of the internet.
“I learned the basic rules. For example: be careful where you click the files that you download and what you type on the keyboard. Ensure that the computer is equipped with effective protection against viruses, external attacks, spam, phishing. Upgrading the operating system, software commonly used. Remember to use passwords without any similarity between them. Remember to change them regularly. Never store confidential information on the computer.
“I hope that my intervention will be repeated to show how easy it can be for a malicious person to gain access to sensitive information without too much knowledge.”
Stephen Howes, CEO/CTO of GrIDsure, said: “The Twitter hacking case is yet another demonstration of the inherent weakness of fixed passwords. Not only are they easy to break, but the same password is often used across a number of consumer and business accounts because they are not easy to remember – clearly shown by the ‘forgot my password' feature present on the password login screen.
“With cloud computing-based services becoming the norm in today's online world, it is time that providers start looking seriously at alternatives that are easier to remember and much more secure than traditional passwords to ensure that confidence in their services are not dashed by further breaches such as this.”