Twitter Employee Account Hijacked

Another Twitter administrative account has been compromised, apparently as a result of the same weakness in the Yahoo Mail password-recovery system that allowed someone to hijack Alaska Gov. Sarah Palin's e-mail account last year.

Three days ago, Jason Goldman, a product manager at Twitter, posted that his Yahoo Mail account had been hacked.

On Wednesday evening, someone going by the name "Hacker Croll" posted 13 screenshots of Twitter's administrative console at several Web sites. One screenshot shows administrative information about Barack Obama's Twitter account. Another shows information about Britney Spears' account.

Over several posts, "Croll" explains that one of Twitter's administrators has a Yahoo account and that he or she reset the password by answering to the secret question. Croll adds that the mailbox contained a message with the Twitter account's password.

A Twitter spokesperson did not immediately respond to an e-mailed request to confirm that Goldman's account was compromised. Calls to the company headquarters in San Francisco went unanswered.

A blog post Thursday by Twitter co-founder Biz Stone states that this week someone did gain access to Twitter. The company's initial security review found no indication that any account information was altered, but 10 Twitter accounts were viewed during this breach. Presumably, this could only be done through an administrative account, but the blog post doesn't elaborate on the nature of the breach.

"Personal information that may have been viewed on these 10 individual accounts includes e-mail address, mobile phone number (if one was associated with the account), and the list of accounts blocked by that user," explained Stone. "We have personally contacted Twitter users whose accounts were compromised via this unauthorized access."

Twitter, he said, plans to conduct an independent security audit of its internal systems and to deploy additional anti-intrusion measures.

Similar promises were made following security incidents at Twitter earlier this year. In January, 33 Twitter accounts associated with celebrities were hacked through a brute-force password attack. In March, about 750 Twitter accounts were hacked and used to send spam. Two weeks ago, a computer worm hit Twitter in several separate attacks, generating almost 10,000 spam tweets and compromising at least 190 accounts.

In an e-mail earlier this month, the administrator of StalkDaily.com, going by the name "Mikeyy," took credit for the worm attack as a way to drive traffic to his site.

Coincidentally, Croll also posted a screenshot of an internal analysis of Twitter's last high-profile security incident, the Mikeyy Worm Attack.

InformationWeek Analytics has published an independent analysis on the current state of security. Download the report here (registration required).