Update (Jan 11th 2009) - The hacker bragged about the hack and revealed that it was a brute force dictionary attack against an administrator account. Twitter does not block repetitive login failures therefore enabling brute force attacks. We are still leaving the incident classification "insufficient authentication" in addition to brute force as we feel an administration interface should have additional authentication mechanism and not just a password.
Twitter announced that a hacker broke into 33 accounts including Obama's now inactive twitter. The hack is a result of a flaw in a web based support tool used by twitter, which where evidently accessible externally without proper authorization.
It is important to note that this incident is not related to Twitter phishing attack which occurred on the previous weekend.
This incident highlights the issue of public facing administration interfaces, which often combine strong functionality with lesser attention to quality and therefore security. As organizations virtualize, those interfaces become available over the Internet, often without sufficient protection.
You can read some of the funny things that the hacker published in different twitters on Read Write Web.