A security breach...for the third time this year for the San Francisco based company.
Twitter hacked after password guess for third time in '09
Attack highlights risks of easy-to-guess passwords, cloud computing.
Thursday, July 16, 2009
SAN FRANCISCO — Breaking into someone's e-mail can be child's play for a determined hacker, as Twitter Inc. has learned the hard way — again.
For the third time this year, the company was the victim of a security breach stemming from a simple end-run around its defenses. In the latest case, a hacker guessed the password for an employee's personal e-mail account and stole confidential company documents.
The techniques used by the attackers highlight the dangers of a broader trend promoted by Google Inc. and others toward storing more data online.
The shift toward doing more over the Web means that mistakes employees make in their private lives can do serious damage to their employers because a single e-mail account can tie the two worlds together.
Stealing the password for someone's Gmail account, for example, gives the hacker access to any Google applications they might use for work, such as those used to create spreadsheets or presentations.
That's apparently what happened to Twitter, which shares confidential data within the company through the Google Apps package that incorporates e-mail, word processing, spreadsheet, calendar and other Google services for $50 per user per year.
Co-founder Biz Stone wrote in a blog Wednesday that the personal e-mail of an unnamed Twitter administrative employee was hacked about a month ago, and the attacker got access to the employee's Google Apps account.
Separately, the wife of co-founder and CEO Evan Williams also had her personal e-mail hacked around the same time, Stone wrote. Through that, the attacker got access to Williams' personal Amazon and PayPal accounts.
Stone said the attacks are "about Twitter being in enough of a spotlight that folks who work here can become targets."
Some of the material the hacker posted online from the Google Apps documents was more embarrassing than damaging, such as floor plans for new office space and a pitch for a TV show about the online messaging service.
Twitter says only one user account was potentially compromised because a screenshot was included among stolen documents. The value in hijacking a user's account is limited, as those attacks are mainly used to post fake messages and try to trick the victim's friends into clicking on links that will infect their computers.
But sensitive Twitter documents were accessed: The hacker claims to have employee salaries and credit card numbers, résumés from applicants, internal meeting reports and growth projections.
TechCrunch, a widely read technology blog, says it was e-mailed the documents, and subsequently published some of them, including financial projections that Twitter drew up in February.
The forecast predicted Twitter would generate its first revenue in the current quarter, with sales of about $400,000 and about 60 employees. By the end of next year, Twitter expected to employ about 345 people with annual revenue of about $140 million, according to the documents.
In his blog post, Stone said the stolen documents "are not polished or ready for prime time, and they're certainly not revealing some big, secret plan for taking over the world," but said they are sensitive enough that their public release could jeopardize relationships with Twitter's partners.
Stone said the company is talking to lawyers about "what this theft means for Twitter, the hacker, and anyone who accepts and subsequently shares or publishes these stolen documents."
What the attacks on Twitter show is that Web sites don't need to get compromised in the traditional sense to put its users and employees at risk.
Hackers don't need to find a vulnerability in the site itself or plant a virus on an employee's computer to sneak inside.
All they need to find is an employee who uses weak passwords for his or her e-mail accounts, or has security questions that are easy to answer.
It's an old strategy that's becoming more and more valuable as people's personal and work lives merge online.
In an attack in January, a Twitter support staffer's account was compromised using a password-guessing program. The hacker got administrative access to the site, and Twitter feeds for Barack Obama, Britney Spears and other celebrities were used to send out bogus messages. A similar attack occurred in May.
The attacks on Twitter serve as a reminder of why many corporations are reluctant to adopt so-called cloud computing, in which companies pay someone else to run their software remotely, with users accessing the programs over live Internet connections.
The lesson is an old one: Use hard-to-guess passwords, which include some combination of letters and numbers, and for companies, be careful about how many accounts are linked to the same username and password combination.
http://www.statesman.com/business/conte ... itter.html