Twitter's password recovery process exposes accounts to hacking, according to victim

A victim of a hacker has written up a long piece regarding Twitter's security processes and how he believes he became a victim. Twitter's password recovery system is reportedly to blame, as it allowed a hacker to use a brute-force style attack on his handle. A brute-force attack tries common passwords as quickly as it can until it finds a match or exhausts a word list.

The issue seems to stem from the fact that Twitter doesn't limit login attempts per account, rather they limit them per IP. What this means is a hacker just needs to use a proxy network or some other way of IP switching and they would be able to brute-force an account indefinitely, or at least until the password was found.

However, why the victim, Daniel Dennis Jones, had chosen to use a simple, common password that could be brute-forced is beyond me. His story makes sense, though, and is why most password recovery systems limit login attempts on a per account basis, or at minimum throw up a CAPTCHA after a few failed attempts at logging into an account.

The happy ending: Eventually Jones was able to recover his @blanket handle with the help of Twitter.