For the third time this year, Twitter
was the victim of a security breach that stemmed from a simple attack. In the most recent case, a hacker simply guessed an employee’s personal email account password and then worked from there to steal confidential company documents.
This most recent attack brings to light some of the problems associated with storing data online instead of on computers that are within your control. By stealing the password for someone’s Gmail account, for example, a hacker not only gains access to that person’s email, they also gain access to any of the Google applications (and documents associated with those applications) that person uses. This is apparently what happened with the most recent Twitter attack.
Twitter shares confidential data within the company using the Google Apps package that includes email, word processing, spreadsheets, a calendar, and other Google services for $50 per user per year. In a recent blog post, Biz Stone, co-founder of Twitter, revealed the personal email account of an unnamed Twitter administrative employee was hacked about a month ago. Through this attack, the hacker received access to the employee’s Google Apps account.
The hacker obtained both sensitive as well as potentially embarrassing documents through the attack. Some of the material posted online from the Google Apps documents included floor plans for a new office space as well as a pitch for a TV show about the increasingly popular online service. Sensitive documents were also stolen during the attack, however. The hacker claims to have obtained employee salaries and credit card numbers, resumes from job applicants, internal meeting reports, and growth projections.
Twitter believes a single user account was the only one compromised because a screenshot of the account was included with the stolen documents. The hacker shared some of the stolen documents with TechCrunch, who subsequently published some of them, including financial projections for Twitter. Stone said most of the documents TechCrunch received are “speculative exercises” and are not polished or ready for prime time. Twitter is currently talking to lawyers to figure out what this recent attack means to the company, the hacker, and anyone who accepts and shares or publishes the stolen documents.
Regardless of how this ends up for Twitter, the attack brings to light how easy it can be for hackers to gain access to important company data by simply breaking into an employee’s personal account, especially now that a single email account may tie a person’s personal and professional lives together.
The recent Twitter attacks remind us why some corporations are reluctant to jump on the cloud computing bandwagon. The attacks also bring to light the potential risks associated with streamlining access to multiple accounts using a single login, as is currently the case with Facebook and other services.
The lessons we should all take from the Twitter attacks are simple: use strong passwords, be careful about how many accounts are linked to the same username and password, and consider the answers to security questions carefully, keeping in mind that much information about a person can be found by means of a simple Google search.