Hacker break-in of Twitter e-mail yields secret docs
Underscores problems broadcasting life's secrets to the world, say experts
Computerworld - A hacker made off with confidential Twitter documents after breaking into an employee's e-mail account, the company's co-founder confirmed yesterday.
Security experts today said that the breach and theft highlights the problem people have with creating, and then remembering, strong passwords, and the increasing tendency to disclose personal information on services like Twitter and Facebook.
"What it boils down to is that people are lazy and lackadaisical about their personal paranoia," said Andrew Storms, director of security operations at nCircle Network Security. "People should be thinking twice about what they're making public."
The breach occurred about a month ago, said Twitter co-founder Biz Stone, when a hacker calling himself Hacker Croll broke into an administrative assistant's e-mail account, then used that to collect information that let him access the employee's Google Apps account. Twitter workers use the corporate version of Google Apps to share documents and other information within the company.
Hacker Croll then forwarded hundreds of pages of internal Twitter documents to Web sites, including TechCrunch, which in turn has published some and referred to others. Among the finds: Financial projections by Twitter that it will have a billion users, $1.54 billion in revenue and $1.1 billion in net earnings by 2013.
The privately held Twitter does not disclose the current number of users or its financials, but some metrics firms estimate the site has six million unique visitors a month. Documents disclosed by TechCrunch said Twitter was projecting 25 million users by the end of this year.
Stone denied reports that a bug in Google Apps was responsible. "This attack had nothing to do with any vulnerability in Google Apps, which we continue to use," he said in a blog entry yesterday. "This is more about Twitter being in enough of a spotlight that folks who work here can become targets. This was not a hack on the Twitter service, it was a personal attack followed by the theft of private company documents."
Exactly, said security experts today, who put the blame on a combination of online password retrieval systems and people's disclosure of their personal life on social networking services.
"This has nothing to do with cloud computing," said Sam Masiello, vice president of information security at Englewood, Colo.-based MX Logic. "It's about weak passwords that are easily guessable, with a huge contribution from people's habit of putting online information that they wouldn't otherwise share with anyone but their closest friends. It's not hard to crack [password resets] with the information you can find freely available on social networking sites."
Like the breach of Gov. Sarah Palin's Yahoo e-mail account last fall, security researchers guessed that Hacker Croll gained access to the Twitter employee's account using Google's password reset feature, which poses several personal questions to authenticate the user. Hacker Croll likely dug up possible responses by rooting through the Web for details on the assistant, then used those to reset the password to one only he knew.
- 5 Twitter clients for Linux
- Twitter brings the data back in-house with Gnip buy
- Twitter crashed -- again -- on Tuesday
- Twitter's slipping user growth spooks investors
- Get ready to tweet your questions for Twitter's first earnings call
- Super Bowl sets Twitter record, as Volkswagen launches social war room
- Perspective: Twitter's success opens up IPO pipeline
- Update: Twitter goes public at $45 a share
- With IPO cash influx, Twitter could be bigger threat to Facebook
- Ahead of IPO, Twitter shines up multimedia image
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!