Hacker break-in of Twitter e-mail yields secret docs

Underscores problems broadcasting life's secrets to the world, say experts

A hacker made off with confidential Twitter documents after breaking into an employee's e-mail account, the company's co-founder confirmed yesterday.

Security experts today said that the breach and theft highlights the problem people have with creating, and then remembering, strong passwords, and the increasing tendency to disclose personal information on services like Twitter and Facebook.

"What it boils down to is that people are lazy and lackadaisical about their personal paranoia," said Andrew Storms, director of security operations at nCircle Network Security. "People should be thinking twice about what they're making public."

The breach occurred about a month ago, said Twitter co-founder Biz Stone, when a hacker calling himself Hacker Croll broke into an administrative assistant's e-mail account, then used that to collect information that let him access the employee's Google Apps account. Twitter workers use the corporate version of Google Apps to share documents and other information within the company.

Hacker Croll then forwarded hundreds of pages of internal Twitter documents to Web sites, including TechCrunch, which in turn has published some and referred to others. Among the finds: Financial projections by Twitter that it will have a billion users, $US1.54 billion in revenue and $US1.1 billion in net earnings by 2013.

The privately held Twitter does not disclose the current number of users or its financials, but some metrics firms estimate the site has six million unique visitors a month. Documents disclosed by TechCrunch said Twitter was projecting 25 million users by the end of this year.

Stone denied reports that a bug in Google Apps was responsible. "This attack had nothing to do with any vulnerability in Google Apps, which we continue to use," he said in a blog entry yesterday. "This is more about Twitter being in enough of a spotlight that folks who work here can become targets. This was not a hack on the Twitter service, it was a personal attack followed by the theft of private company documents."

Exactly, said security experts today, who put the blame on a combination of online password retrieval systems and people's disclosure of their personal life on social networking services.

"This has nothing to do with cloud computing," said Sam Masiello, vice president of information security at Englewood, Colo.-based MX Logic. "It's about weak passwords that are easily guessable, with a huge contribution from people's habit of putting online information that they wouldn't otherwise share with anyone but their closest friends. It's not hard to crack [password resets] with the information you can find freely available on social networking sites."

Like the breach of Gov. Sarah Palin's Yahoo e-mail account last fall, security researchers guessed that Hacker Croll gained access to the Twitter employee's account using Google's password reset feature, which poses several personal questions to authenticate the user. Hacker Croll likely dug up possible responses by rooting through the Web for details on the assistant, then used those to reset the password to one only he knew.

The college student who broke into Palin's e-mail account -- and who now faces federal charges -- bragged that it took him only 45 minutes to research answers to Yahoo's password reset questions.

Storms echoed Masiello regarding the risk posed by spilling one's life on the Web. "If you broadcast your entire life to the public via social media, then it makes it easier for people to impersonate you and answer those 'forgot my password questions,'" he said today. "That just gives the black hats the intelligence they need."

While Masiello urged users to create stronger passwords -- a blend of alphanumeric and special characters, such as "#" and "&," for instance -- Storms said the lesson everyone should take from the Twitter breach is to recognize that everyone's a target today. "Employees, no matter where they are on the food chain, need to know that they are targets," he said. "If I want to get at a company's documents, I'm going to start targeting employees. The problem is that they don't view themselves as targets, but actually they are the conduit to higher-ups."

Storms' advice to companies? "Don't put all your eggs in one basket," he said, referring to Twitter's use of Google Apps -- and Google's single sign-on username/password to access all of its online services, including Apps and Gmail. "It's dangerous to trust one site to host all the different types of data you have. Think of the cloud as a castle. If all the information is behind one castle wall, wouldn't you want to host it like you would host it?"

Specifically, said Storms, Twitter should have searched out solutions that let it create multiple levels of access, so that, for example, an administrative assistant's account would not lead to crucial internal documents.

"We do need to be asking those kinds of questions of the cloud," Storms said.

For users, Storms had different advice. "For those password reset questions, don't pick one of the defaults," he said. "If it lets you, type your own question." Failing that, he recommended something even he said was unusual. "I tell people to lie," he said, talking about the answers to the password reset questions. "Give a nonsensical answer. If it asks for your shoe size, don't give your shoe size, say 'brown.'" That tactic may sound counterintuitive or confusing at first, "But once you start doing it, you'll be able to remember those answers."

Twitter has threatened legal action against the sites that have published the stolen documents, but in a relatively low-key way. "We are in touch with our legal counsel about what this theft means for Twitter, the hacker, and anyone who accepts and subsequently shares or publishes these stolen documents," Stone said in his blog.

Yesterday, TechCrunch's founder and co-editor Michael Arrington acknowledged that the site was in "negotiations with Twitter, or rather Twitter's lawyers" over the publication of a subset of the documents it had been given by Hacker Croll.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags twitter

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?