Twitter hack explained by hacker

The person responsible for the Twitter hack that saw various celebrity twitter accounts announcing bizarre news, or pointing to spam sites, has come forward and spoken to Wired magazine. There were numerous theories on how the person, who goes by the handle GMZ, gained access to those accounts. It turns out that it was a simple brute force dictionary attack on a Twitter account's password. The hacker, who only identified themselves as an 18 year old US student, had been randomly targeting apparently popular users with his own, dictionary based, brute force password guesser. It appears that Twitter allows an unlimited number of rapid fire logins, and after an overnight run, the hacker found that a popular user with the name "crystal" had a password of "happiness".

The hacker logged in to the account and found that crystal was a Twitter staff member and he now had access to the administrative panel of Twitter. Deciding not to use other hacked accounts directly, partly down to his not using a proxy, the hacker then offered password resets to users of Digital Gangster who requested passwords for Barack Obama, Facebook, Fox News, Britney Spears and others. According to Twitter, thirty three accounts were compromised. Biz Stone, Twitter co-founder, confirmed that a dictionary attack had been used, but would not confirm the username, password or other details, telling Wired "Regarding your other questions, I'd feel more comfortable addressing them once we've spoken to counsel, because this is still ongoing".

(djwm)