Federal prosecutors have charged a previously convicted hacker with illegally accessing millions of records sent by Twitter users requesting technical support. The allegations shed new light into the hijacking of Burger King's Twitter account 17 months ago, a case many assumed had gone cold.

Cameron Lacroix, a 25-year-old resident of New Bedford, Massachusetts, agreed last month to plead guilty to a hacking spree that targeted computer networks around the country , some belonging to law enforcement organizations that stored sensitive data. He was also reportedly one of several hackers to steal racy pictures stored on Paris Hilton's poorly secured cell phone in 2005.

On Wednesday, federal prosecutors in San Francisco alleged that from February 16 to 19 in 2013, Lacroix hacked into Zendesk, a provider of customer support services, and used his illegal access to download millions of records belonging to Twitter, one of the many companies that used Zendesk. The support tickets included users' e-mail addresses and contact information. He then used the information to breach at least two high-profile Twitter accounts, according to charging papers filed in US District Court in San Francisco. Prosecutors wrote:

Lacroix identified the email addresses that were used to register Twitter accounts for Jeep and Corporation A. After compromising and taking control of those email addresses, he submitted password reset requests for those accounts; Twitter's responses were sent to the compromised email addresses, which Lacroix now controlled. Lacroix changed the passwords to Jeep and Corporation A's Twitter accounts, assumed control of those accounts, and proceeded to deface them with text and pictures. (For example, Corporation A's feed falsely reported that the company had been sold to its chief competitor.) Lacroix also deleted the incoming support tickets those companies attempted to submit to Zendesk reporting that their Twitter accounts had been hijacked.

Prosecutors didn't identify Corporation A by name. Based on the facts provided, however, the Zendesk compromise was almost certainly the one used to hamburgle Burger King's Twitter account and falsely announce the sale of the restaurant chain to arch-rival McDonald's. As Ars reported at the time, the parties that took credit for the account hijacking even gave a shout-out to the Defonic Team Screen Name Club, a hacking group that also claimed responsibility for hacking Paris Hilton's Sidekick handset and airing the faux-celebrity's contacts.

Compared with some of the other breaches that Lacroix has been accused of perpetrating, the one involving Twitter is innocuous. Still, it underscores the way a relatively minor hack on one platform can be a mere starting point. A small hack can often be escalated by combining it with technical weaknesses and social engineering on other platforms. According to prosecutors:

Between February 16 and February 19, 2013, Lacroix identified and exploited a website vulnerability to create Zendesk accounts with elevated privileges. He used this heightened access to disable a security measure designed to ensure that only Twitter employees could view Twitter helpdesk information stored at Zendesk, such as support tickets, customer email addresses, and other contact information. Lacroix was thereby able to see all support tickets for any of Zendesk's customers, including Twitter. Lacroix then exported approximately one million Twitter support tickets to computers outside of Zendesk's network. Those support tickets included email addresses and contact information for each customer.

According to a February 2013 post on Wired, a Zendesk breach affecting Twitter also compromised support tickets belonging to Tumblr and Pinterest. Wednesday's charges make no reference to either of those services.