Comments for Updated: Twitter Security Collapses; Obama, Fox and Britney Accounts Hacked

Updated: Twitter Security Collapses; Obama, Fox and Britney Accounts Hacked

2009-01-05T17:21:31Z

Days after a wave of phishing attacks fooled thousands of Twitter users, it appears that another security hole has been found by...someone. Obama's account, unused since election day, sent out an affiliate link to a survey with a gas card prize, Fox News said that "Bill O'Reily is gay" (not that there's anything wrong with that) and Britney Spears' made a lewd post about her anatomy. Rick Sanchez, the Twitter loving CNN anchor, says he's "high on crack and might not be coming into work today."

The Fox tweet was deleted an hour after it was posted, so the password may not have been changed. The Facebook account on Twitter just posted a link to porn, so it appears that the situation remains unresolved. Update: Twitter says it's been resolved but that users should change their passwords! The Twitter blog has just posted an explanation of the breach. Screen shots of the hacked accounts below below.

]]> This can't be good for Twitter. It will be good for the people calling for more secure, standards based authentication on Twitter and elsewhere around the web.

Some suspected that the hacks today were associated with the weekend's phishing attacks, but the Fox News account isn't following anyone - so no one could have direct messaged it. That's how accounts were taken over via phishing. Something else is afoot.

If the hacker is associated with the affiliate link sent out over Obama's account, it may not be hard to discover who did this. Time will tell.

Twitter co-founders Evan Williams, Biz Stone and lead engineer Alex Payne have posted no messages since the attacks emerged. This can't be good for Twitter. What major brand will be excited to sign up for the service now? Who would pay, even, to be put at such risk?

Comment from Kathleen McDade on 2009-01-05

2009-01-05T17:56:21Z

Nice job. I agree, it's worrisome.

Comment from Anita CM on 2009-01-05

2009-01-05T17:59:25Z

A shooting star(Twitter at the moment) is prone to getting burnt fast as well! In it's zeal to make things utterly simplistic it seems they have gone a bit easy on security aspect and if they wish to continue with the exponential growth that it is seeing now they will have to up the ante on security front soon...

Comment from Craig on 2009-01-05

2009-01-05T18:08:49Z

I saw the Britney Tweet earlier today and thought I might of had the fake Brit by accident. Crazy to see as it went done. Hilarious for me and others to read though. I'm sure there is some trouble going on in her camp right now.

Comment from Mat on 2009-01-05

2009-01-05T18:08:55Z

You note: "but the Fox News account isn't following anyone - so no one could have direct messaged it."

But the DMs weren't real. They were spoofed, and came via email, so it wouldn't necessarily follow the standard protocol that you have to have a mutual following relationship to DM.

Comment from Matt May on 2009-01-05

2009-01-05T18:12:01Z

What's with the weird open quote right underneath both names? Looks like somebody figured out an overflow attack, maybe via the API.

Comment from Erica Douglass on 2009-01-05

2009-01-05T18:15:12Z

My guess is that it might not even be Twitter itself that has been hacked, but one of the many services that uses your Twitter password to authenticate. Twitter has absolutely terrible security around its API, and hundreds of these services popped up recently.

-Erica

Comment from Kathleen McDade on 2009-01-05

2009-01-05T18:15:39Z

Mat, the DM's I got were real.

Comment from Web2Mom on 2009-01-05

2009-01-05T18:18:03Z

Gosh! This phishing and hacking accounts is spooky and Twitter seems to be as cool as ever. I wish they take action and tighten-up security features.

Comment from siade on 2009-01-05

2009-01-05T18:22:42Z

Poor little tweety...

Comment from Wesley on 2009-01-05

2009-01-05T18:22:50Z

This might finally push twitter to use something like oAuth. I predict they will launch it by next week and it will be required by every third party app.

Comment from Luke on 2009-01-05

2009-01-05T18:23:00Z

The person who hacked the Obama account used their personal affiliate marketing URL without masking it at all (using tinyurl or whatever), so it'd be super easy to see who it was - since their unique user ID is embedded in the url! dumbasses!

Comment from Marshall Kirkpatrick on 2009-01-05

2009-01-05T18:24:46Z

Luke,they masked it - I just have a greasemonkey script running that displays full URLs

Comment from LOL on 2009-01-05

2009-01-05T18:36:09Z

Go obama!!! lol

Comment from Brandi on 2009-01-05

2009-01-05T18:51:44Z

You missed the FoxNews hack-attack--I have a screenshot posted here: http://twitpic.com/zx64

Fox managed to fix their Twitter within a few minutes.

Hilarious!

Comment from Rizzo on 2009-01-05

2009-01-05T18:54:04Z

Are Britney's razor sharp teeth a turn-off or a turn-on? Help me out here, people.

Comment from Anrkist on 2009-01-05

2009-01-05T18:59:24Z

I just hope nothing happens to ChuckObama's account.

Comment from Dominic Jones on 2009-01-05

2009-01-05T19:00:05Z

Marshall seems right to me. They couldn't have DM'd Fox. And if the DM email is a spoof, how did the hacker know the email address used to open the Fox account? Something else seems to be going on here.

Comment from Hasan Luongo on 2009-01-05

2009-01-05T19:00:33Z

def should have had better security in place and now they are paying the price. just when the fail whale was fading away the hacker phish are threatening to really damage the brand.

I also find it a bit weird that in such a personal space like twitter everyone there is tight lipped not saying anything. that's poor social pr IMHO.

may I suggest: www.mcafeesecure.com

Comment from Scott Shorter on 2009-01-05

2009-01-05T19:03:41Z

If @foxnews didn't leak their password by falling for a phishing attack, the next best guess is that they had a very poor password and the bad guys managed to guess it through brute force attack. It's a shame that twitter doesn't provide feedback on password quality or enforce minimum password complexity rules.

I'm curious to know whether there's an account lockout period after a certain number of failed authentication attempts, to thwart brute force password attacks.

Comment from Suthnautr on 2009-01-05

2009-01-05T19:16:38Z

I predicted yesterday that a well organized attack would target bigger names including Obama's and posted it on my blog. Looks like I was right. Had they really had any brains they could have done a lot more damage.

Comment from Dominic Jones on 2009-01-05

2009-01-05T19:27:04Z

On the Rolling Stone website, this appears:

"I’m Britney’s Social Media Director- I run this twitter account. We did get hacked this morning. We apologize for any offense caused to Britney’s fans and Twitter followers….we never want to offend anyone. Luckily, everything is back under control and we appreciate your understanding.

~Lauren"

Sure if Lauren screwed up, she wouldn't want to say, but it's clear that she thinks the account was hacked.

Comment from Todd on 2009-01-05

2009-01-05T19:29:38Z

BREAKING: Bill O'Reilly is gay!

Comment from Helene K. on 2009-01-05

2009-01-05T19:37:46Z

I read an interesting tweet (before the blow up of all the *big* names on Twitter) that maybe it was someone in the Twitter camp -- how else can you explain the hack of @foxnews? Just a thought, and not mine. There is always a conspiracy theorist.

Comment from Matt W on 2009-01-05

2009-01-05T19:39:08Z

RT @biz about the events of this morning and this weekend: http://bit.ly/e3L0

Comment from Jesse Stay on 2009-01-05

2009-01-05T20:38:39Z

Maybe Twitter is taking their time so Fox and CNN will write about them

Comment from Chris on 2009-01-05

2009-01-05T20:38:47Z

Love the Seinfeld reference - Not that there's anything wrong with that.

Comment from Igor Schwarzmann on 2009-01-05

2009-01-05T20:51:03Z

That may be off topic, but I consider none the less important:

> Fox News said that "Bill O'Reily is gay" (not that there's anything wrong with that)

I do hate O'Reily's guts too, but that is just the wrong tone, Marshall. At the very least, it really doesn't show your superiority, if you're using the same style as the same guys you want to criticize.

Comment from Marshall Kirkpatrick on 2009-01-05

2009-01-05T20:53:06Z

Igor, somebody thought that was a Seinfeld reference. I'm not familiar. I just didn't want "gay" to be used as an insult without note. I'm not sure how else to do that without sounding like a real pedant. suggestions?

Comment from Clay Newton on 2009-01-05

2009-01-05T20:57:34Z

That was a total Seinfeld reference, not that there's anything wrong with that.

Comment from Marshall Kirkpatrick on 2009-01-05

2009-01-05T20:58:28Z

sorry, I haven't had a TV is 15 years, so it was a second hand reference if anything

Comment from Marshall Kirkpatrick on 2009-01-05

2009-01-05T20:58:48Z

Sorry Igor, I don't understand what you mean by your comment.

Comment from Igor Schwarzmann on 2009-01-05

2009-01-05T21:06:22Z

Seinfeld might be a totally awesome reference in the US, but I can assure you, that it's not a good reference in Europe. And since RWW isn't being "transmitted" only into the US-Internet like Hulu, I'm guessing, that it won't change a thing even if it was a Seinfeld reference. ,)

Comment from Web20Critic on 2009-01-05

2009-01-05T21:17:18Z

Does anyone even remember being phished? Surely you'd look at your statusbar when hovering on a link. Pfft!

Comment from TxVoodoo on 2009-01-05

2009-01-05T21:17:45Z

@ Marshall Seinfeld has been off the air for 10 years, and was on for 9 prior to that, so 15 years w/out tv is specious. @Igor - saying that Europe doesn't get Seinfeld is rahter narrow - I have plenty of friends who get it. @all of you who aren't getting this - Richard himself didn't say this, he's quoting the hacked text. Y'all need to acquire a sense of humor AND some reading comprehension.

Comment from Phil Boiarski on 2009-01-05

2009-01-05T21:51:26Z

I thought this was a new marketing move, appealing to a new majority, since the right wing is all knuckle-dragging red necks.

Comment from Konrad on 2009-01-06

2009-01-06T11:28:29Z

stupid, GMZ done a dictionary bruteforce on an admin account as twitter has no rate limit for logons.

for more info check trainreqlol.org

Comment from Soko Banja Apartmani on 2009-01-06

2009-01-06T12:39:09Z

I hait it

Comment from Sarah on 2009-01-06

2009-01-06T14:05:05Z

While this is bad for Twitter, as the users of the internet, we should be aware of the ways to detect phishing after all this is nothing new.

Comment from Luke on 2009-01-06

2009-01-06T17:57:31Z

@Marshall well, even with a tinyurl mask it'd still be easy to find out who posted the link, I would say (even with a mask, their user ID is still in the original URL which is easy to get to, as you've shown). If not for the every-day Twitter reader, than definitely for the affiliate network and the Feds!

Comment from Scott Mahler-Datex Media on 2009-01-06

2009-01-06T22:23:18Z

The good thing is that the twitter community is so quick to update people, that most twitter users were warned by others very early on, especially about the phishing incident. It's too bad twitter has now joined so many other sites, and become victim to idiots that have nothing better to do with their time. It's kind of like social media terrorism, and most of us won't let them knock us off track.

Comment from Janet Altman on 2009-01-09

2009-01-09T20:00:59Z

I believe this thread touches exactly what the real issue is here. As we evolve towards a new frontier that is the digital landscape, we will no doubt have to tackle these very tough digital security issues. There are companies out there that are on the cutting edge of this. They have products that can protect us. It's just a matter of us accepting the concept. I think it's safe to do so if implemented ethicially. In fact, I think it's right, just and above all else...necessary.

Identity theft, asset tampering, you name it. I want it protected.