"Remember to use passwords without any similarity between them.... Remember to change them regularly.... Never store confidential information on the computer...." These helpful suggestions on computer security may sound like the types of basic tips you'd receive from a company's IT department, but they're written by Hacker Croll, the alias of the person claiming responsibility for cracking into Twitter's corporate documents. His suggestions are included in a fascinating article by TechCrunch's Nik Cubrilovic that offers a step-by-step description of how Croll cracked their networks. And the techniques he used are so simple and seemingly obvious, it's enough to give anyone whose used a pet's name for a password some serious heartburn.
Hacker Croll, described by TechCrunch as a Frenchman in his twenties, says he began his attack by putting together a dossier of Twitter's employees, including a list of their email addresses. It didn't take long to find their staff on Gmail and other Web-based email services. The dominos began to fall when he discovered that the Hotmail address used by one person to recover forgotten Gmail passwords had actually expired, so he simply created a new Hotmail account using the same user name, then asked Gmail's password recovery service to email that account.
From there, it was just a matter of time before he accessed other Twitter e-mail accounts, Google Docs detailing their business strategy, even credit card numbers of employees stored in iTunes. As Nik Cubrilovic notes in the article, one of the most powerful tools Hacker Croll had at his disposal was the "secret question" feature available on many Web services. For example, if you forget your password, this feature would let you answer a question like "What's the name of your first pet?" "Who was your first kiss?" or "What street did you grow up on?" The answers to these questions are easy to remember, but they're also often easy to google, making a hacker's work a piece of cake. These techniques, combined with Twitter relying heavily on cloud computing services like Google Docs, allowed Hacker Croll to embarrass the company significantly.
It's a really good read - check it out on TechCrunch. Then - please - go change your passwords.