Could you be hacked like Twitter?

The alarming thing about the methods used is they could happen to anyone

The French hacker who broke into Twitter's Google Apps and stole more than 300 private company documents has revealed in detail how he did it. Using a method known as "cracking," the man who goes by the name Hacker Croll was able to break down Twitter security by trolling the Web for publicly available information, according to TechCrunch. Eventually, Croll found one weakness many of us are guilty of -- using one password for everything -- and Twitter's security was compromised. Read on to see how Hacker Croll did it, and consider whether access to your digital life could be breached by his methods.

Croll Cracks Twitter

Hacker Croll started by building a profile of his target company, in this case Twitter. Basically, he assembled a list of employees, their positions within the company, and their associated e-mail addresses. After the basic information was accumulated, Croll built a small profile for each employee with their birth date, names of pets, and so on. After Croll had created these profiles, he just went about knocking on doors until one fell down. That's exactly what happened when he did a password recovery process for a Twitter employee's personal Gmail account. Croll discovered that the secondary account attached to this person's Gmail was a Hotmail account. The problem was that Hotmail account had been deleted and recycled due to inactivity -- a longstanding policy on Hotmail. Now, all Hacker Croll had to do was reregister the Hotmail account for himself, go back and do the Gmail password recovery, and then Gmail sent the password reset information straight to the bad guy. But it's not over yet. Gmail asked Hacker Croll to reset the password of the Twitter employee's personal e-mail account, which he did. But now the original user was locked out of their account, which would send up an obvious red flag. So all Croll did was search the Gmail account itself for passwords from the person's other active services. Then he entered a commonly used password he'd found, and waited to see if the person began using their account normally. Croll now had access to the Gmail account from behind the scenes, and was able to access information undetected. Making life even eaiser, the Twitter employee used the same password on her business and personal accounts, so the hacker now had access to both, and the rest was history.

Are You Vulnerable to the Same Crack?

The alarming thing about Croll's methods is they could happen to anyone. I checked my own Google account last week, and discovered I was open to the same security flaw the Twitter employee was. I had registered my Gmail account so long ago, that I'd forgotten all about my secondary e-mail address. Just like the Twitter employee, the secondary email attached to my Google Account was defunct and possibly open to re-registering by anyone. That has since been changed. I also did a search within my own email for passwords I've used, and I was amazed at how many results were returned. Do a search in your e-mail account using your most common passwords, and see what turns up. You might be surprised. But there are a myriad of other ways a hacker could get your information. Have you ever received a Happy Birthday greeting on a public service like Twitter? Have you ever sent someone your phone number or any other information that way? What information is sitting on your social networking sites? Are your MySpace and Facebook accounts closed off, or can anyone view them who searches for you? Does your Facebook page have your birthdate, the past schools you've attended, your pet's name? Could your mother's maiden name -- a common security question -- be discovered through your social network account? What about the myriad of other services you use? If you think it's unlikely that someone could find this information, then try searching for yourself in the so-called "Deep Web" search engines like Pipl or Spokeo and see what comes up. You may find online accounts you'd completely forgotten about.

Webmail Security Similar

The other problem is that most of the major e-mail services use similar recovery methods to Google's. Hotmail is almost exactly the same as Gmail. Yahoo is even easier, since if you tell Yahoo you can't access your secondary e-mail account you can answer a secret question. Those security measures are what made it possible for a student to hack hack into Alaska Gov. Sarah Palin's Yahoo Mail account last year. In my tests of Yahoo Mail's recovery page, I got what seemed like an unlimited number of opportunities to guess my Yahoo Mail secret question. AOL Mail isn't much better, since you have a choice of entering your secondary e-mail (you have to know it or guess) or you can enter your exact birthdate plus your Zip code on file with AOL. The Zip code barrier makes it harder for someone to break in, but by no means impossible. If you've discovered you're open to the same flaws that Twitter was, then consider this your wake-up call. You must regularly check the security settings on your various online accounts so that you remain in control of your security information since it's so easy to forget what you entered years ago. Pay special attention to secondary e-mail accounts connected to your primary e-mail address; consider giving a bogus answer (that only you remember) to security questions; and regularly change your passwords, either by your own invention or with a random password generator like GRC or Strong Password Generator. You could also get away from using just one or two passwords, and use password managers like Clipperz, KeePass or Yubico to remember your details instead. But perhaps most importantly, search for the most common passwords you use in your own webmail accounts and delete those messages. If the worst happens and your account is compromised, you'll be glad you did.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Gmailsocial networkingtwitter

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ian Paul

PC World (US online)
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?