Twitter has today confirmed that it has again been attacked by a security breach, this time by someone who hacked into one of Twitter administrators’ account and managed to gain accessed to 10 accounts – including Britney Spears, Ashton Kutcher and Barack Obama.
The attack has also resulted in several screenshots of the entire Twitter administration posted online on a French blog, with another couple of images being posted on the ZATAZ forums, again a French website. The images not only showed user administration, but also a blacklist of users and images of administrating applications that are using its OAuth API.
The account that was hacked is said to be from an employee called Jason Goldman, with the hacker – using the alias of “Hacker Croll” said that he managed to get into the account was from Goldman’s Yahoo account. “One of the admins has a yahoo account, i’ve reset the password by answering to the secret question. Then, in the mailbox, i have found her twitter password,” the hacker said in a forum posting.
The administration site, which is found at admin.twitter.com, is said to be protected by a .htaccess, which blocks access to users who do not have the right credentials and allows users in from a certain IP address. But, according to TG Daily, the website was able to be access by figuring out the password as the login prompt, which should have been blocked to users outside of the Twitter IP address, was able to be accessible.
Twitter has been plagued by security problems in the past – with two major incidents reported this year. January saw someone hacking into 31 Twitter accounts, many of them high-profile celebrities, after guessing the password of one admin – which happened to be “happiness”, according to Wired. The site also faced a problem with a series of Twitter worms that modified user profiles and allowed a person to use their account to spread a simple Twitter message.
Despite this new security breach, co-founder Biz Stone has reassured users that their data has been safe.
“Personal information that may have been viewed on these 10 individual accounts includes email address, mobile phone number (if one was associated with the account), and the list of accounts blocked by that user,” Stone wrote on the Twitter blog.
“We have personally contacted Twitter users whose accounts were compromised via this unauthorized access.”
“Twitter takes security very seriously so we will be conducting a thorough, independent security audit of all internal systems and implementing additional anti-intrusion measures to further safeguard user data.”
Twitter has now restricted access to the administration URL, but suspicious activity was recorded on Goldman’s account at sometime at 4:02 PM EDT before being suspended and then restored. Several messages were publicly seen, including “OMG my account has been hacked again !! :-|” and “Security is too bad on Twitter :(.” Goldman has since said that his account was the one that was compromised.