An 18-year old hacker, who managed to breach Twitter's administration systems and take over multiple high-profile accounts, has admitted his guilt.
The teenager, who goes by the handle GMZ, told the Wired Threat Level blog that he broke into Twitter's administrative control panel by using an automated password-guesser program on the account of a popular user.
It turned out that this user was a Twitter support staff member called "Crystal", who had chosen the easy-to-guess password "happiness". He said that breaking into the account was easy as Twitter allowed an unlimited number of rapid log-in guesses.
Using a self-created tool, he used a dictionary program which automatically tried English words and managed to gain access into Crystal's account. He was then able to access any other Twitter account by resetting an account holder's password.
He told Wired in an IM interview: "I feel it's another case of administrators not putting forth effort towards one of the most obvious and overused security flaws. I'm sure they'll find it difficult to admit it."
He didn't use the hacked accounts personally, instead offering hackers in his forum access to any Twitter account by request. This led to the access and defacement of feeds for Barack Obama, Britney Spears, Fox News and Facebook among others.
Twitter confirmed to Wired that the intruder had used a dictionary attack to gain access to the administrative account, although it refused to confirm the other details. It has so far not taken any legal proceedings.
Co-founder Biz Stone did say in a follow-up email that Twitter was doing a "full security review on all access points to Twitter. More immediately, we're strengthening the security surrounding sign-in. We're also restricting access to the support tools for added security."
-
The NCSC says it’s time to switch to passkeysNews UK security organization calls for companies to step up and offer more secure ways to login
-
AI agents are creating new identity security risks: 1Password wants to solve thatNews The Unified Access system from 1Password will help enterprises manage AI agent access across different devices and users
-
Using AI to generate passwords is a terrible idea, experts warnNews Researchers have warned the use of AI-generated passwords puts users and businesses at risk
-
Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company respondedNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking
-
Thousands of exposed civil servant passwords are up for grabs onlineNews While the password security failures are concerning, they pale in comparison to other nations
-
Gen Z has a cyber hygiene problemNews A new survey shows Gen Z is far less concerned about cybersecurity than older generations
-
Passwords are a problem: why device-bound passkeys can be the future of secure authenticationIndustry insights AI-driven cyberthreats demand a passwordless future…
-
LastPass just launched a tool to help security teams keep tabs on shadow IT risksNews Companies need to know what apps their employees are using, so LastPass made a browser extension to help
