Three Lessons We Can Learn from Hacker Croll


So, if you haven’t been closely following the incident involving TechCrunch, Twitter, and a very astute hacker called Croll, then you’re missing out on a turning point for internet security as we know it.

In case you’re new to the story, here’s what happened in a nutshell, via TechCrunch:

  1. HC (Hacker Croll) accessed Gmail for a Twitter employee by using the password recovery feature that sends a reset link to a secondary email. In this case the secondary email was an expired Hotmail account, he simply registered it, clicked the link and reset the password. Gmail was then owned.
  2. HC then read emails to guess what the original Gmail password was successfully and reset the password so the Twitter employee would not notice the account had changed.
  3. HC then used the same password to access the employee’s Twitter email on Google Apps for your domain, getting access to a gold mine of sensitive company information from emails and, particularly, email attachments.
  4. HC then used this information along with additional password guesses and resets to take control of other Twitter employee personal and work emails.
  5. HC then used the same username/password combinations and password reset features to access AT&T, MobileMe, Amazon and iTunes, among other services. A security hole in iTunes gave HC access to full credit card information in clear text. HC now also had control of Twitter’s domain names at GoDaddy.
  6. Even at this point, Twitter had absolutely no idea they had been compromised.


So, in retrospect, and even while the rest of the story is sorted out, what surface lessons can we learn?  And, maybe a more fitting question, how many of them should we know already?

(Most of these lessons assume people are only working online.  If someone wants your information bad enough, they might be able to use other, offline means to get it.  Make sure to take similar precautions offline as well as online to keep your information safe!)

Lesson 1: Don’t Use the Same Password on Every Site

Most of us are guilty of it, but it goes without saying that you should have different passwords for different sites.  Hacker Croll took advantage of the “human habit” of using the same password to access multiple services from one user (Gmail, Google Apps, iTunes, etc.)  What’s more, is that the victim had no clue that he was hacked because the hacker changed his password back to normal after accessing the account.  The result?  Hacker Croll was in the account, and the victim went about his daily business.

Lesson Learned: use different passwords for different accounts.

Lesson 2: Security Questions are Anything but Secure

Let’s hypothetically say you have signed up for a new social network. You create your password and set your security question is “What is my pet’s name?”  Your answer: “Spot”.  Three days later, you mention Spot’s no-good couch chewing accident on that social network.  Someone has just filled in a piece of the puzzle needed to access that account.

Combined with a password, a security question isn’t necessarily a bad thing.  But an either/or scenario for them is dangerous.  Basically, it boils down to “Either you tell me your randomly generated password, or your pet’s name” – scary to think about in those terms, but it happens everyday.

Lesson Learned: the best way is to falsify or randomize the answers, and keep them in a safe or secure locked location.

If it asks you for “favorite food”, “favorite color”, and “favorite book”, then your answers could be:

  • Favorite Food: Red
  • Favorite Book: Jackknife
  • Favorite Color: Treehouse

Of course they don’t make sense, but that’s why writing them down and securing them is (or not writing them down and just remembering them) will outwit any online hacker.

Lesson 3: Emails from Web Services = Keys to the Kingdom

You sign up for service x, you get an email thanking you for signing up… it’s pretty standard practice.  Some services even send you your password (isn’t that thoughtful of them).  Delete those emails as soon as you can.  Any email that gets archived for later, stored in a folder, or (even worse) kept in your inbox is a prime threat for hackers to access your sensitive information.

Of course, combine that with lesson one, and any email from a service could spell a hack.  If you use the same password for Gmail and Twitter, then finding one password opens you up for attack in every service.

Lesson Learned: Delete emails that have account information, or print them out and keep them in a secure place.

Bonus Lesson: Don’t Use a Hotmail Account as Your Secondary Email

Hacker Croll is a wily one.  When he found out that the Gmail account of “victim zero” was a hotmail account, he quickly hopped over to hotmail to try and access that account.  What he found was nothing short of a gold mine:  after a certain amount of inactivity, a hotmail account deactivates itself.  Hacker Croll simply recreated the account, requested a new password, and gained access to the account.  Shame on Hotmail for trying to cut their bottom line so much they take security into question.  <opinion> Then again, shame on Hotmail for not being more like Gmail.  </opinion>

Basically, they sound like common-sense items, but when it comes to online security, most of us fall into the “human habit”.  Online information is supposed to be quickly accessed, and passwords (honestly) get in the way of that access.  So we take shortcuts, simple solutions, and forgo security for simplicity.  I hope that what happened to Twitter, a big company, can encourage someone smaller (aka, the user) to be a little more careful in their security.