Report: Hacker broke into Twitter e-mail with help from Hotmail

'Hacker Croll' spills details to TechCrunch, site that published internal Twitter docs

The hacker who stole confidential Twitter documents used a feature of Microsoft's Hotmail to hijack an employee's work e-mail account, the site that has published some of the Twitter documents said Sunday.

According to TechCrunch, the Web site that last week broke the story about the Twitter breach and has posted some of the stolen information, the hacker calling himself Hacker Croll took advantage of poor password practices, Hotmail's inactive account feature and personal information on the Web to pinch hundreds of Twitter documents.

TechCrunch said it convinced Hacker Croll to divulge the details of his attack, and over the course of several days' conversations was able to piece together not only the original breach, but how some information he obtained allowed him to compromise the e-mail accounts of Evan Williams, Twitter's CEO, and one of its co-founders, Biz Stone.

Hacker Croll first jacked the personal Gmail account of a Twitter employee -- last week Stone identified the person as an administrative assistant with the company -- by resetting the account's password. To do that, Hacker Croll had to answer one or more personal questions used to authenticate the user. According to TechCrunch, Hacker Croll had previously researched this employee, and others at Twitter, by digging through the Internet for likely responses.

Security experts last week speculated that the same process used by a Tennessee college student to break into Alaska Gov. Sarah Palin's Yahoo e-mail account was at the root of the Twitter breach.

"[This was] about weak passwords that are easily guessable, with a huge contribution from people's habit of putting online information that they wouldn't otherwise share with anyone but their closest friends," Sam Masiello, vice president of information security at MX Logic said last week in an interview. "It's not hard to crack [password resets] with the information you can find freely available on social networking sites."

At that point, although Hacker Croll had control of the Twitter employee's personal Gmail account, he could not hide his tracks, as the user would have quickly known something was amiss the next time he or she tried to log on to Gmail, and was rebuffed.

"On requesting to recover the password, Gmail informed [Hacker Croll] that an email had been sent to the user??s secondary email account," wrote TechCrunch's Nik Cubrilovic. "Gmail offered a hint as to which account the email to reset the password was being sent to, in case the user required a gentle reminder. In this case the obfuscated pointer to the location of the secondary email account was ******@h******.com."

Hacker Croll deduced that the account was on Hotmail, and then attempted to recover the password on that account as well. The Hotmail account was inactive, however -- a Microsoft practice designed to recycle dormant accounts -- which allowed him to register the inactive Hotmail account. He returned to Gmail and again went through the password recovery process, specifying a password of his own. The new password was then sent to the just-hijacked Hotmail account. "Within a few moments [Hacker Croll] had access to the personal Gmail account of a Twitter employee," explained Cubrilovic. "The first domino had fallen."

Hacker Croll now had control of the Twitter administrative assistant's Gmail account, but with his password, not the one known by the legitimate user. The hacker had to reset the password to the original in order to keep his hijack secret.

From there, said Cubrilovic, it was mostly digital legwork. Hacker Croll browsed the Twitter worker's Gmail account and found several password confirmation messages from other Web sites and services, then reset the account using a password that appeared in several such messages. That was, in fact, the original password; Hacker Croll was able to monitor the account, read its messages and download its attachments, all without anyone the wiser.

"Hacker Croll then used the same password to access the employee??s Twitter email on Google Apps, getting access to a gold mine of sensitive company information from emails and, particularly, e-mail attachments," wrote Cubrilovic. Included in that gold mine were the usernames and passwords of other Twitter employees, which Hacker Croll used to break into the work e-mail accounts of Williams and Stone, among others.

According to Cubrilovic, the one-password-for-all-sites habit of the hacked employee was not uncommon at Twitter. "Most/all Twitter employees used the same password for their Google Apps e-mail (the Twitter e-mail account) as [they] did with [their] personal Gmail account," he said.

Last week, Masiello urged users to create stronger passwords -- a blend of alphanumeric and special characters, such as "#" and "&," for instance -- and use different passwords for each service or site. But he wasn't optimistic that his advice would hit home. "I think it's going to take a lot more than this incident to convince people," he said. "It just goes to show that even though we've been talking about strong and multiple passwords for years, people still haven't caught on."

Twitter has threatened legal action against the sites, including TechCrunch, that have published the stolen documents, but legal experts warned last week that it was hard to predict whether it would succeed.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags hackerstwitter

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?