Twitter co-founder Biz Stone said in a blog post that this attack is separate from the phishing attack earlier this week, in which many Twitter users were tricked by a phony direct message purportedly from one of the victim's followers, taking them to a look-alike Twitter home page set up to steal their credentials.
Stone said "an individual" gained access to tools the site's support team uses to help users with tasks, such as editing the email address tied to their Twitter accounts. "We considered this a very serious breach of security and immediately took the support tools offline. We'll put them back only when they're safe and secure," Stone blogged.
In the meantime, the attacker was able to post phony tweets on behalf of the hijacked user accounts -- everything from untasteful tweets on Sanchez's and Spears' sites, to Obama's site offering a $500 gas card for taking a survey, according to a WashingtonPost.com report . The Post also speculates the hack may be the handiwork of a hacker who hangs out on DigitalGangster, the hacker Website that posted stolen Miley Cyrus photos earlier this year.
Graham Cluley, senior technology consultant for Sophos, says Twitter's reference to an individual behind it raises questions of whether this was an external hack or an inside job. Either way, it was a major hack, he says. "If the intruder was able to break into accounts as varied as Britney Spears, Barack Obama, and Rick Sanchez, then they could potentially have broken into anyone's Twitter account. They must be taking a long, hard look at their security now to ensure that such a breach is never possible again," Cluley says.
It could have been worse, though. "It would have been much worse if, for instance, the intruder had posted an update saying, 'Check out my new music video' [on Spears' site] or 'Watch a video about my plans for the economy' [on Obama's site]," he says. " That could have taken thousands of users to a malicious Website, keen to watch the latest from Britney or Barack Obama."
Twitter, meanwhile, plans to release a beta version of Oauth to its members this month -- an open authentication protocol that lets members who use third-party applications built on Twitter's API to access their data and protect their account credentials. "...but it's important to note that this would not have prevented a Phishing scam nor would it have prevented these accounts from being compromised," Twitter's Stone blogged.
Mary Landesman, senior security researcher at ScanSafe, says the attack could have been a form of phishing, too, given the link posted on Obama's account.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message