The hacker who stole confidential Twitter documents used a feature of Microsoft’s Hotmail to hijack an employee’s work e-mail account, the site that has published some of the Twitter documents said Sunday.

According to TechCrunch, the Web site that last week broke the story about the Twitter breach and has posted some of the stolen information, the hacker calling himself Hacker Croll took advantage of poor password practices, Hotmail’s inactive account feature and personal information on the Web to pinch hundreds of Twitter documents.

TechCrunch said it convinced Hacker Croll to divulge the details of his attack, and over the course of several days’ conversations was able to piece together not only the original breach, but how some information he obtained allowed him to compromise the e-mail accounts of Evan Williams, Twitter’s CEO, and one of its co-founders, Biz Stone.

Hacker Croll first jacked the personal Gmail account of a Twitter employee — last week Stone identified the person as an administrative assistant with the company — by resetting the account’s password. To do that, Hacker Croll had to answer one or more personal questions used to authenticate the user. According to TechCrunch, Hacker Croll had previously researched this employee, and others at Twitter, by digging through the Internet for likely responses.

Security experts last week speculated that the same process used by a Tennessee college student to break into Alaska Gov. Sarah Palin’s Yahoo e-mail account was at the root of the Twitter breach.

more from ComputerWorld

---

Filed under: Security - @ July 20, 2009 5:03 pm

Tags: corporate, hacking, twitter