How Twitter and Obama Got Hacked


Both Obama’s Twitter account and Twitter itself got hacked into. Can you believe that? Well I read a great article on how the hacker did it.

This will amaze, but hopefully will inspire you to take action, too.

The hacker’s name is “Hacker Croll”. He’s a 20-something Frenchmen who breaks into corporate and personal accounts in his spare time. Hackers likeCroll are incredibly diligent and patient, as you’ll see here.

Hacker Croll shamelessly publishes the methods by which he gains access to accounts, and to start with he utilizes an entire network of sites to gain enough information to break into the target. He starts by building a database of information about the company and its employees. He keeps track of any information he can get his hands on, even the employees’ pets names.

As you continue to read this, keep Nicole Dean’s e-Book”How To Avoid Disaster” in the back of your mind. Can you really afford to be without it?

Hacker Croll knew that he probably only needed a single point-of-entry into any one of the business or personal accounts in his list. Since most sites are set-up so that users log-in with an e-mail address and password, once he got one – he likely could break into many. Why?

Because people generally use the same information for each site.  Imagine if someone hacked into your e-mail account? Could they not go to any site on the web and press the “I forgot my username” button? Or the “I forgot my password button”. It is precisely this system that allows hackers like Hacker Croll to break your simple Hotmail password in order to break into your bank account.

Going back to Twitter, Croll knew that he only needed to find the weakest employee password to get into the network. Companies that allow their employees to come up with their own passwords are in jeopardy for precisely this reason. Unfortunately for Twitter, Croll found such an employee and was able to crack his Gmail account.

If you’re a business owner, you should know that because of human habits, someone could break into your server just by learning the password of an employee’s personal blog, or e-mail service or twitter account.

From there, Croll mines the Gmail account information for more information about other sites the user is registered at. He quickly found that the employee used the same password at many sites. And in the case of “secret question” websites, he found it even easier to break in. Imagine trying to break into an account where there are a billion possible passwords, and then get help from the secret question as it narrows the options down to “pet names”.

From this point Croll had access to all the employees email attachments, business notes, and important information.  That led him to quickly taking over the accounts of the founders Evan Williams and Biz Stone.  Croll then got control of their AT&T, Amazon, iTunes and MobileMe accounts.

He got access to over 300 business documents which he sent directly to the media to proved he’d broken in. In this case he didn’t steal the secrets or hurt anybody. He did what he wanted to do – expose weakness. He even sent them a note that said “better fix your holes, or someone malicious will break in next time.”

Regina Smola, of WordPress Security Lock, and I are putting on an internet security seminar March 31st. We’re going to be teaching you everything you need to know about keeping your WordPress blog and Twitter account safe and secure. And how to recover from problems should they occur. If someone hacking into your accounts will put you at risk, you and your employees need to join us!

Take Action today. Go to – This is one problem where waiting could be too late.

This Post Has 5 Comments

  1. dan

    I’m not sure I’d agree with the “cool beans” part. I think sending confidential data to the press is crossing the line.

  2. Cynthia LaLuna

    I guess he had to prove he had really gotten in somehow – and sending confidential information that couldn’t have been made up was the easiest way. The fact of the matter is, guerrilla do-gooders like him will ALWAYS provide more useful security information than any corporate testing program – in-house testing and procedures are very difficult to isolate from assumptions and shortcuts.

    Cool beans that he wasn’t malicious, merely loves a challenge, and provided good information. And the press? Have they ever exhibited a different character? Nah. That’s why I didn’t choose journalism. No stomach for it.

  3. dan

    I agree. What I thought was even more irresponsible was the media companies that decided to print what was in the stolen documents. Some of them kept some of the stuff confidential, but others like TechCrunch said “the finanical projections stuff was too important. We had to publish it.”


  4. Tony G

    I am all for exposing weaknesses to highlight poor security, but sending confidential information to third parties is irresponsible, illegal, and by definition theft. He stole company information. Plain and simple.

Leave a Reply