no technical hacking here; very, very simple stuff; please read (especially K)
When you register a new gmail account you give them a "secondary" email. If you forget your password you can ask gmail to send a "password reset" link to this secondary email.
In this case, the hacker found that
- his victim had a "hotmail" address as a secondary
- he had not used that address for years
- so hotmail had expired/deleted it (I don't blame them on this; even if it is MS!)
- so anyone was free to register that address again
- so the hacker simply registered it himself
- thus getting the "password reset" email for his victim's gmail account :-)
The second part is even simpler. He needed to reset the password back to what the owner **currently** uses, otherwise the owner would get suspicious (if he was unable to log in next time). And he needed to do this very quickly.
- he looked through all the saved email on the hacked gmail account
- found a few passwords helpfully sent back by various services to which the victim had subscribed
- gambled that the victim uses the same password for everything
- and reset the gmail password to that
Once he was sure everything was OK, he just used that same password to access the victim's **official** twitter email.
Moral of the story:
- never use the same password for more than one service.
- delete registration emails from websites if they contain your password. Be sure to empty trash (or "delete forever") too
- in any case, change your passwords once in a while