I'm doing a security investigation for a friend of mine, working a bit of a Sherlock Holmes here... Trying to figure out a possible hack scenario for the following:
- My friend receives a "screw you and your Twitter profile" message on a vBulletin-powered message board, where no one know who she is.
- After a while she notices someone changed her profile picture on Twitter.
The message board does not use any Twitter oAuth connected accounts or anything similar, her forum username was some unreal "abracadabra" nonsense name, which is not "personally identifiable". Her forum profile is empty. The only real thing in the profile was - her email.
The only possible scenario that comes to my mind is:
Someone used an exploit on vBulletin to get her real email address or otherwise accessed her account (via Brute force etc)
Figured her Twitter account by email address (for instance, by generating a Gravatar picture out of email and then performing a Google search "by image")
Used some well-known (in the underground circles) exploit for some Twitter "app" she had connected in her account.
Do you see any other possibilities?
PS. Too bad Twitter has no login audit...
PPS. I'm not searching for instructions "how can you hack someones' Twitter", I'm trying to find (based on the scenario), how can we secure her other data (if he hacked Twitter - who knows what else can be compromised).
PPPS. Some background info about the person to rule out the obvious: she' a software engineer and CEO of a small software shop, not your average "Nancy homemaker", she's on a mac (not windows), uses 2-factor on most account (gmail, amazon-aws etc, but not twitter), uses a pwd manager with 2-factor. Her forum pwd was really weak (6 letters), her Twitter pwd was kinda strong.