While Twitter has remained largely quiet on the hour-long hijacking of its domain name, additional information suggests that the attacker had compromised at least one user at the social networking company.
On Thursday, an unknown attacker hijacked Twitter's domain name and redirected visitors to an unrelated site hosting a page claiming Twitter had been hacked by the "Iranian Cyber Army." Evidence indicates, however, that the attackers were able to change the domain-name system (DNS) entries at Twitter's provider, Dyn Inc., said Rod Rasmussen, president and CEO of Internet Identity, an infrastructure security firm which monitors DNS changes.
"First of all the name servers themselves didn't change, so someone was updating things at the provider," Rasmussen said. Because other clients were not showing signs of DNS hijacking, it's unlikely that Dyn itself had been breached, Rasmussen said. "We didn't see anything else at Dyn that indicated signs of that the service had been compromised."
On Friday, Dyn confirmed that the attacker had the proper credentials to log into Twitter's account with the company and change the addressed assigned to various hosts in the Twitter.com domain. While some media reports have called the attack a hack or a defacement against the site, neither term applies, said Kyle York, vice president of sales and marketing for the firm.
"From our point of view, no unauthenticated users logged into the system," York said.
netizens left a footprint.