How Twitter was hacked

Last week social networking site Twitter was hacked, with hundreds of private corporate and personal documents stolen. The documents were released by tech blog TechCrunch, which has now revealed the hacker’s method in obtaining the files.

The hacker, known has “Hacker Croll”, first used public search engines and information to build a database of the company and its employees, with personal information such as birthdays and career history.

He then found the Gmail address of an employee, and used a password recovery feature to gain access. The recovery feature then directed Croll to a secondary email address at Hotmail.

The email address was actually shut down after a long period of inactivity, as per Hotmail policy. But Croll then reactivated the email address, gained access to the Gmail password and then used that to search that user’s inbox for other passwords.

From there, Croll gained access to other accounts and then searched them for sensitive information included as attachments, which then led to discoveries of other passwords and information.

Eventually Croll was able to access phone logs, purchasing histories, more emails, credit card information and other personal employee information. The whole time, Twitter had no idea it had been compromised.

But Croll told TechCrunch that he did not intend to sell the information for money, and that he stole the documents to show Twitter how to improve its security.