Twitter Discloses Reason For Several High Profile Account Security Breaches: Support Tools Compromised

Several high profile twitter users' accounts were breached this today. Barack Obama, FoxNews, BritneySpears, RichSanchezcnn, LeoLaporte and others were all taken over. Some of the posts made by the hackers on these accounts varies from funny (FoxNews announced that Bill O'Reilly is Gay, RichSanchez said he was high on coke) to scams, (Barrack Obama offered prizes if you take a survey). The post from Biz over at Twitter is below:


Monday Morning Madness


This morning we discovered 33 Twitter accounts had been "hacked" including prominent Twitter-ers like Rick Sanchez and Barack Obama (who has not been Twittering since becoming the president elect due to transition issues). We immediately locked down the accounts and investigated the issue. Rick, Barack, and others are now back in control of their accounts.

What Happened?

The issue with these 33 accounts is different from the Phishing scam aimed at Twitter users this weekend. These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can't remember or get stuck. We considered this a very serious breach of security and immediately took the support tools offline. We'll put them back only when they're safe and secure.

Reacting Quickly and Fixing the Problems

In addition to this Monday morning madness we're coming off a wacky weekend where lots of folks were tricked into participating in a Phishing scam aimed at Twitter users. In both cases, our on-call team was able to attend to the matter quickly and prevent too many people from being affected. Our support team is definitely going to have a busy week because we reset a bunch of passwords just to be on the safe side.

Could OAuth Have Helped?

We plan to release a closed beta of the open authentication protocol, OAuth this month but it's important to note that this would not have prevented a Phishing scam nor would it have prevented these accounts from being compromised. OAuth is something we can provide so that folks who use third party applications built on the Twitter API can access to their data while protecting their account credentials.