Twitter Confirms Hacker Gained Access
Twitter co-founder Biz Stone has confirmed a hacker was able to breach security at the microblogging service, marking the second time this year an attacker gained administrative access via an employee's account.
According to Stone, an attacker gained unauthorized access to Twitter this week and viewed 10 individual accounts. Twitter's initial security review found that no account information was altered or removed. No password information was revealed or altered for any of the accounts, nor were any personal messages viewed.
"Personal information that may have been viewed on these 10 individual accounts includes email address, mobile phone number (if one was associated with the account), and the list of accounts blocked by that user," Stone blogged. "We have personally contacted Twitter users whose accounts were compromised via this unauthorized access."
The admission came after reports of the hack began to circulate earlier today. A French hacker operating under the handle of Hacker Croll posted 13 screenshots of Twitter's administration panel that featured internal data for accounts belonging to a number of high-profile individuals, including Ashton Kutcher and Britney Spears.
In a post in an online forum, the confessed hacker said he used social engineering only-"no exploit, no XSS vulnerability, no backdoor, no sql injection."
The hacker wrote: "One of the admins has a yahoo account, i've reset the password by answering to the secret question. Then, in the mailbox, i have found her twitter password."
According to a report from Wired, a similar situation occurred in January, when a hacker obtained administrative access by guessing the password of a Twitter employee.
The latest hack follows a wave of worm attacks against Twitter earlier in April. In that case, the worm was more of an annoyance for users and is not thought to have caused any actual harm beyond sending spam.
"Twitter takes security very seriously, so we will be conducting a thorough, independent security audit of all internal systems and implementing additional anti-intrusion measures to further safeguard user data," Stone wrote.