Twitter's @Ev Confirms Hacker Targeted Personal Accounts; Attack Was "Highly Distressing."


Back in May, Twitter was hacked by someone who got into the accounts of several Twitter employees and then gained access to high-profile accounts such as those of Britney Spears and Ashton Kutcher. The breach was the work of someone going by the name Hacker Croll, who posted the compromised screen shots on a French message board. Now more screenshots attributed to the same hacker have popped up on another French site (rough translation here).

According to the post, Hacker Croll was able to compromise the Twitter accounts of founder Evan Williams, his wife, and several employees. Using password recovery techniques, Hacker Croll claims he gained access to various Paypal, Amazon, Apple , AT&T, MobileMe and Gmail accounts. I emailed Evan Williams asking about the breach.  He confirms:

Yes, we did suffer an attack a few weeks ago and are familiar with this list of stuff. This is unrelated to the hack of twitter where someone gained access to user’s accounts. This had nothing to do with the security of, and there were no user accounts compromised here.

Some notes:
– He did not actually gain access to my @ev Twitter account (or any Twitter accounts) nor any administrative functions of the site.
– There is also no evidence that he gained access to my email. There was one administrative employee who’s email was compromised, as was my wife’s Gmail account, which is where he got access to some of my credit cards and other information.
– He also successfully targeted a couple other employees personal accounts (Amazon, AT&T, Paypal…)

In general, most of the sensitive information was personal rather than company-related. Obviously, this was highly distressing to myself, my wife, and other Twitter employees who were attacked. It was a good lesson for us that we are being targeted because we work for Twitter. We have taken extra steps to increase our security, but we know we can never be entirely comfortable with what we share via email.

Above and below are purported screenshots of Williams’ accounts on Twitter, Gmail, and GoDaddy. He claims he was able to access Twitter’s domain name account on GoDaddy and could have redirected the traffic to another IP address (I’m sure that would have worked for about three minutes).  The Gmail access, if true, would have been more troubling.  Once the hacker got into @ev’s Gmail account, password recovery for other accounts was easy.  He claims to have gained access to some internal documents, including projections for reaching 25 million users in 2009, 100 million in 2010, 350 million in 2010, and an outlandish goal to eventually become the first Internet service to reach one billion users. So maybe some corporate information was compromised.

Here is a list of some of the other things he claims to have found out, along with screenshots below, the last being a plan for Twitter’s new office space, including a sleeping room, a playing room, greenhouse, a meditation room, bicycle room, gym,washer/dryer, wifi, lockers, wine cellar, and an aquarium. Twitter moved into its new digs in July (the accounts were compromised in May, which is when all of this information dates from):

  • the complete list of employees
  • their food preferences
  • their credit card numbers
  • some confidential contracts with Nokia, Samsung, Dell, AOL, Microsoft and others
  • direct emails with web and showbizz personalities
  • phone numbers
  • meeting reports (very informatives)
  • internal document templates
  • time sheet
  • applicant resumes
  • salary grid (time for me to

Who knows if any of this is true (there are no actual screenshots of the corporate documents), but it is enough to make any executive wary of living too much in public.