# The Twitter Attack - a cautionary tale for email users



## Irreverent (Sep 1, 2009)

Insight into how Twitter accounts (or any systems accounts) can be compromised by assuming the identity of a long-unused generic email (hotmail, gmail, yahoo etc) account.

Cross posted from RISKS Digest issue 25.75 



> Date: Fri, 24 Jul 2009 11:41:27 -0700
> From: Gene Wirchenko
> Subject: Beware of Outdated E-mail Addresses
> 
> ...



tl;dr.....if you use generic email accounts for your internet/fandom activities, make sure that they are still current and that *YOU* own them.    If you don't someone else might be able to deduce your account on Hotmail et al, and hijack the password reset function to take over your accounts.


----------



## Hir (Sep 1, 2009)

Isn't that how Boxxy was hacked? They found an old MySpace account that belonged to her, and the email didn't exist anymore. They remade the email and used Forgot Password and bam, they had her password.


----------



## Hackfox (Sep 1, 2009)

DarkNoctus said:


> Isn't that how Boxxy was hacked? They found an old MySpace account that belonged to her, and the email didn't exist anymore. They remade the email and used Forgot Password and bam, they had her password.



I think that is what happened. I'm not 100% though.


----------



## Aeturnus (Sep 1, 2009)

So that's what, the fifth time somebody hacked into Twitter? I swear it sounds like Twitter is a hacker's paradise.


----------



## Azure (Sep 1, 2009)

What the hell is Twitter even for?  This makes me glad I don't use it.


----------



## SnowFox (Sep 1, 2009)

So simple. I'm jealous that I didn't think of something like that.

:thumbsup:


----------



## Grey Jinjo (Sep 1, 2009)

It's hardly hacking. It's just a clever way of getting someone's password.


----------



## RoqsWolf (Sep 1, 2009)

DarkNoctus said:


> Isn't that how Boxxy was hacked? They found an old MySpace account that belonged to her, and the email didn't exist anymore. They remade the email and used Forgot Password and bam, they had her password.



Who's boxxy?


----------



## FoxyM (Sep 1, 2009)

RoqsWolf said:


> Who's boxxy?



She's this really hyper girl, I saw her on youtube first, I dunno I guess she was hacked and left? I don't know the whole story.


----------



## Irreverent (Sep 1, 2009)

Grey Jinjo said:


> It's hardly hacking. It's just a clever way of getting someone's password.



Agreed.  And its not even clever, its exploiting a security fault in how bulk email vendors recycle unused accounts.


----------



## ArielMT (Sep 1, 2009)

Irreverent said:


> Agreed.  And its not even clever, its exploiting a security fault in how bulk email vendors recycle unused accounts.



With a twist of social engineering through the apathy/disinterest vector.

If you're going to stop using an email address, make sure none of your Web site accounts are using it.  If any are, change it.


----------



## hitokage (Sep 2, 2009)

What e-mail providers besides Microsoft actually recycle abandoned accounts? None of the others (Google, Yahoo, AOL) do as far as I know.


----------



## Irreverent (Sep 2, 2009)

hitokage said:


> What e-mail providers besides Microsoft actually recycle abandoned accounts? None of the others (Google, Yahoo, AOL) do as far as I know.



To be fair, i'm not sure that any of those providers have been in the business long enough to need to recycle accounts.  Gmail is less than 2 years old, yahoo maybe 5 and AOL (to the best of my knowledge) isn't in that space.


----------



## Stratelier (Sep 2, 2009)

> Hacker Croll first jacked the personal Gmail account of a Twitter employee ... by resetting the account's password. *To do that, Hacker Croll had to answer one or more personal questions used to authenticate the user.* According to TechCrunch, Hacker Croll had previously researched this employee, and others at Twitter, by digging through the Internet for likely responses.


This, people, is why you should never disclose your PornStar nickname to the Internet 

(On a technical note, that's called _cracking_, not hacking.)

Security questions are epic fail anyway.  They SHOULD be asking you for stuff like the MD5 of your monitor's serial number, not the color of Fido's eyes or the brand of pet food you feed him...


----------



## Irreverent (Sep 2, 2009)

Stratadrake said:


> This, people, is why you should never disclose your PornStar nickname to the Internet



Always good advice! 



> (On a technical note, that's called _cracking_, not hacking.)



Yeah, I caught that too.  The article doesn't make the distinction, but considering its target audience, its probably ok.



> Security questions are epic fail anyway.  They SHOULD be asking you for stuff like the MD5 of your monitor's serial number, not the color of Fido's eyes or the brand of pet food you feed him...



"Quick, what's mod5(yourHighSchool)^average_no pepperonies on your last pizza?"

Make the question too hard and all you do is annoy folks like ArielMT that have to answer the calls for resets.


----------



## Luna Silvertail (Sep 2, 2009)

RoqsWolf said:


> Who's boxxy?



This might help you. XD
http://knowyourmeme.com/memes/boxxy




> Yeah, I caught that too.  The article doesn't make the distinction, but considering its target audience, its probably ok.



Hence why people of Deviantart always think there is some hacker or something, when they were the ones that gave their password out in the first place. >_o


----------



## net-cat (Sep 2, 2009)

Irreverent said:


> To be fair, i'm not sure that any of those providers have been in the business long enough to need to recycle accounts.  Gmail is less than 2 years old, yahoo maybe 5 and AOL (to the best of my knowledge) isn't in that space.



Gmail was launched in 2004.
Yahoo Mail was launched in 1997.
And I remember getting AOL floppies back when there was only one digit in my age.

I'm inclined to agree, though. Recycling email addresses is a bad idea.


----------



## ArielMT (Sep 2, 2009)

Stratadrake said:


> Security questions are epic fail anyway.  They SHOULD be asking you for stuff like the MD5 of your monitor's serial number, not the color of Fido's eyes or the brand of pet food you feed him...



I have some customers who couldn't even answer simple questions like that.

The worst are sites that require you to choose three questions from a pool of five or six, all with instinctively easy to guess answers, so much so that it's hard to remember any fake answers.



Irreverent said:


> "Quick, what's mod5(yourHighSchool)^average_no pepperonies on your last pizza?"



0xD34DB33F



Irreverent said:


> Make the question too hard and all you do is annoy folks like ArielMT that have to answer the calls for resets.



Thankfully, by being such a local shop, customers can always verify themselves by showing up in person and meeting the people they talk to on the phone.  Very unintrusive two-factor authentication that megacorporations just can't handle: something you know, and something you are.


----------



## Stratelier (Sep 2, 2009)

ArielMT said:


> 0xD34DB33F


That doesn't even pass a sanity check 

But seriously, folks....

It can't be overstated that security questions commonly focus on stuff that even your younger brother could guess (Mom's maiden name?  Check.  First pet?  Double-check.  Phone number?  Jackpot!) -- IN HIS SLEEP.

Security questions need to ask you stuff that is a REAL secret.  You know, like the full name of the protagonist in that novel you're still bouncing around in your head (admit it, you know you are ).


----------



## ArielMT (Sep 2, 2009)

Stratadrake said:


> That doesn't even pass a sanity check



Neither do I.


----------



## hitokage (Sep 3, 2009)

Irreverent said:


> To be fair, i'm not sure that any of those providers have been in the business long enough to need to recycle accounts.  Gmail is less than 2 years old, yahoo maybe 5 and AOL (to the best of my knowledge) isn't in that space.


Where have you been - time has been flying by when you weren't looking 

Gmail accounts were available by invite at least four years ago (I knew a few people that had them, but I wasn't interested at the time). Yahoo has had accounts for at least nine years, as I have e-mails from people that long ago with them. AOL ended-up in that space when they bought Netscape, as they provided a free e-mail service (Netscape.net addresses), and they currently provide them now as AIM.com addresses. They Netscape users were given AIM.com accounts, but I have no idea whether they migrated inactive accounts. Those that had a Netscape account can still receive e-mail sent to them with either domain.

I just took a quick look at Wikipedia, to see what it had to say on the subject. HoTMaiL was launched July 1996, and acquired by Microsoft and rebranded as MSN Hotmail in 1997. RockMail was launched by Four11, who was then acquired by Yahoo in 1997 - Yahoo! Mail was launched shortly after. In my brief search I didn't come across information about the Netscape.net free e-mail launch, but AOL started providing AIM.com addresses June 2005. Last, but not least - Gmail invites have apparently been around since about April 2004, making them a bit over five years old.


----------



## Irreverent (Sep 3, 2009)

Stratadrake said:


> Security questions need to ask you stuff that is a REAL secret.  You know, like the full name of the protagonist in that novel you're still bouncing around in your head (admit it, you know you are ).



The problem is, few site developers allow you pick your own question.  Most use a drop-down list of canned questions.



hitokage said:


> Where have you been - time has been flying by when you weren't looking



I guess I wasn't paying as much attention to that space as I should.  But when you ARE the ISP, you tend not to use generic email account providers.  I have lab servers for most of my "throw away" email addresses.

Thanks for the history lesson.


----------



## Stratelier (Sep 3, 2009)

Irreverent said:


> The problem is, few site developers _[can even think up decent security questions in the first place.]_


Fix'd


----------



## hitokage (Sep 4, 2009)

Irreverent said:


> I guess I wasn't paying as much attention to that space as I should.  But when you ARE the ISP, you tend not to use generic email account providers.  I have lab servers for most of my "throw away" email addresses.
> 
> Thanks for the history lesson.


I haven't gotten to work for an ISP, back in the late nineties and earlier in this decade I applied for jobs with AOL as they are within driving distance, but never was interviewed. These days I do mostly network/systems admin contract work for the U.S. Government, but I've wanted to do more work in a NOC environment (i.e. more server hardware and networking equipment).

I haven't paid too much attention, but some of this stuff just sticks in my head. Also, back in the day some ISPs (CompuServe) could be stingy with e-mail addresses, it was also so if we changed providers/went without internet access (not too hard to do then) everyone else in the house didn't have to send an e-mail address change to everyone they know.


----------

