Lessons from Twitter's security breach

Information taken from the hacking of some of Twitter's employees a few months ago is finally coming to light. Can this happen to other companies?

Josh Lowensohn Former Senior Writer
Josh Lowensohn joined CNET in 2006 and now covers Apple. Before that, Josh wrote about everything from new Web start-ups, to remote-controlled robots that watch your house. Prior to joining CNET, Josh covered breaking video game news, as well as reviewing game software. His current console favorite is the Xbox 360.
Caroline McCarthy Former Staff writer, CNET News
Caroline McCarthy, a CNET News staff writer, is a downtown Manhattanite happily addicted to social-media tools and restaurant blogs. Her pre-CNET resume includes interning at an IT security firm and brewing cappuccinos.
Josh Lowensohn
Caroline McCarthy
5 min read

Twitter's latest security hole has less to do with its users than it does with its staff, but lessons can be learned on both sides.

In the case of Jason Goldman, who is currently Twitter's director of product management, the simplicity of Yahoo's password recovery system was enough to let a hacker get in and gain information from a number of other sites, including access to other Twitter staff's personal accounts.

The aftermath of the hack, which took place in May, is just now coming to fruition. Documents that a hacker by the alias of Hacker Croll recovered from Goldman's account and others (including Twitter co-founder Evan Williams) could be a treasure trove of inside information about the company and its plans.

While Croll was planning to release the entire batch publicly (and at once), tech blog TechCrunch posted news late Tuesday that it had received them and was considering posting the details of at least some of them.

Although it seems that Twitter has been thrust into this situation a bit unfairly, a hack along these lines could have happened to the executives of more Web companies than anybody would like to admit. What it really highlights is the extreme interconnectedness of the social Web: with the likes of e-mail contact importing and data-portability services like Facebook Connect now commonplace, a savvy hacker can have access to multiple accounts simply by accessing one.

A post Wednesday on Twitter's official blog highlights just how far-reaching this can be.

"About a month ago, an administrative employee here at Twitter was targeted and her personal email account was hacked," the post from co-founder Biz Stone read. "From the personal account, we believe the hacker was able to gain information which allowed access to this employee's Google Apps account which contained Docs, Calendars, and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company."

Following that attack, Twitter conducted a security audit, and Stone's post says that there was not a security vulnerability in Google Apps and that Twitter continues to use the suite internally. A separate hack targeted the account of CEO Evan Williams' wife, and from that some of Williams' personal accounts were accessed as well, Stone explained.

But Twitter is front and center in the news these days, and is now talked about as a communications protocol as much as a Web start-up. Not only does that make it a particularly appealing target, but also that the reverberation in the media will be all the more sensational and lasting. And this isn't the first Twitter security panic to hit the press by any means. A number of celebrities' accounts were hacked in January, which the company blamed on an "individual" hacker rather than any of the various phishing scams that had been popping up occasionally on the microblogging service.

Security of Web apps under fire

Despite the breach, Twitter's executives say they have faith in the cloud and securing data online.

"This is more about Twitter being in enough of a spotlight that folks who work here can become targets," Stone's post read. "This isn't about any flaw in web apps, it speaks to the importance of following good personal security guidelines such as choosing strong passwords."

Stone added that Twitter is communicating with its legal counsel--the company just hired former Google lawyer Alexander Macgillivray, conveniently--to figure out how to deal not only with the hacker but with people who share or publish the documents in question.

As for the log-ins though, it's a wake-up call to the importance of a good password, and having systems in place that make it hard for the wrong people to get in. And not all systems are created equal.

For instance, gaining access to someone's Yahoo account (which is how this all started) can be simple if you have access to one of their other e-mail accounts. Yahoo's process for password retrieval has several steps, with the primary one being the option to send a password reset to another e-mail account it has on file. There's also the option to say you can't access that e-mail account, which is likely the route the hacker went. Doing this takes you to a page where you have to answer a secret question (usually a pet name), the answer of which is penned during the account sign-up process.

Yahoo's password recovery screen.

After three unsuccessful tries at the secret question Yahoo pulls up a screen that gives you the choice to either validate your identity via a credit or debit card number, or go back to answering more questions. If you fail the personal question another five times your account is temporarily locked out from password retrieval for 24 hours, however logging-in with the proper credentials is still allowed.

On a Google Apps account, which Stone says Twitter is still using, it's not quite as simple. A Google representative told CNET News that the company's Apps service handles password recovery differently from how it does on other Google products. For instance, users have to ask for a password directly from their account administrator, instead of through Google. That administrator can also choose how long and complex passwords must be.

Even with this more stringent layer of security, some security experts have their doubts. People shouldn't expect free, online services to provide the same standard of security that they would get from their internal corporate system, said Peter "Mudge" Zatko, technical director of national intelligence at BBN Technologies who spoke to CNET News on Wednesday.

"It's pretty ridiculous. The data is not stored at your place; it's not in your control," and problems could arise if the service provider changes its policies or gets sold, he said. "Nothing is really free."

Users of Yahoo Mail and Google Docs need to understand the convenience-security tradeoff, and that they compromise sensitive corporate data if they put it on publicly accessible systems or use the same passwords for internal and external networks, Zatko said.

"These services are very much about convenience and providing convenience for their users and part of convenience is ease of accessibility," he said. "You can't make something easy to access and terribly secure at the same time. Those are diametrically opposed goals."

CNET News' Elinor Mills contributed to this report