Twitter hacked by old technique -- again

Jul 15, 2009 By JORDAN ROBERTSON , AP Technology Writer
Twitter logo

(AP) -- Breaking into someone's e-mail can be child's play for a determined hacker, as Twitter Inc. employees have learned the hard way - again.

For the third time this year, the San Francisco-based company was the victim of a security breach stemming from a simple end-run around its defenses: A hacker guessed the password for an employee's personal e-mail account and worked from there to steal confidential company documents.

The techniques used by the attackers highlight the dangers of a broader trend promoted by Google Inc. and others toward storing more data online, instead of on computers under your control.

The shift toward doing more over the Web - a practice known as "cloud computing" - means that mistakes employees make in their private lives can do serious damage to their employers, because a single e-mail account can tie the two worlds together.

Stealing the password for someone's Gmail account, for example, not only gives the hacker access to that person's personal e-mail, but also to any other Google applications they might use for work, like those used to create spreadsheets or presentations.

That's apparently what happened to , which shares confidential data within the company through the Google Apps package that incorporates e-mail, word processing, spreadsheet, calendar and other Google services for $50 per user per year.

Co-founder Biz Stone wrote in a blog posting Wednesday that the personal e-mail of an unnamed Twitter administrative employee was hacked about a month ago, and through that the attacker got access to the employee's Google Apps account.

Separately, the wife of co-founder Evan Williams also had her personal e-mail hacked around the same time, Stone wrote. Through that, the attacker got access to Williams' personal and accounts.

Stone said the attacks are "about Twitter being in enough of a spotlight that folks who work here can become targets."

Some of the material the hacker posted online from the Apps documents was more embarrassing than damaging, like floor plans for new office space and a pitch for a TV show about the increasingly popular online messaging service.

Twitter says only one user account was potentially compromised because a screenshot of the account was included among the stolen documents. The value in hijacking a user's account is limited, as those attacks are mainly used to post fake messages and try to trick the victim's friends into clicking on links that will infect their computers.

Sensitive Twitter documents were filched, though.

The hacker claims to have employee salaries and credit card numbers, resumes from job applicants, internal meeting reports and growth projections.

Stone said the stolen documents "are not polished or ready for prime time and they're certainly not revealing some big, secret plan for taking over the world," but said they are sensitive enough that their public release could jeopardize relationships with Twitter's partners.

What the attacks on Twitter show is that Web sites don't need to get compromised in the traditional sense to put its users and employees at risk.

Hackers don't need to find a vulnerability in the site itself, or plant a virus on an employee's computer, to sneak inside.

The easier approach is much more low-tech: All they need to find is an employee who uses weak passwords for his or her e-mail accounts, or has security questions that are easy to answer with a little information about the person.

It's an old strategy that's becoming more and more valuable as people's personal and work lives merge online.

It can be trivial to guess someone's passwords, as former vice presidential candidate Sarah Palin found out during the election, when her personal e-mail was hacked and screenshots were posted online. The attacker sneaked in by accurately guessing the answer's to Palin's security questions, based on information about her and her family that was already online.

Password-guessing programs are also a common hacking tool. An attacker runs the program against an account, and if it's allowed to try lots of times and the password isn't very complicated, the hacker's in.

Twitter was hit twice before this year in similar incidents.

In an attack against Twitter in January, a Twitter support staffer's account was compromised using a password-guessing-program. The got administrative access to the site. The Twitter feeds for Barack Obama, Britney Spears and other celebrities were used to send out bogus messages. A similar attack happened in May.

The attacks on Twitter serve as a reminder of why many corporations are reluctant to jump on the cloud computing bandwagon. Outsourcing sensitive jobs can save money but also open up companies to more risk, because their data aren't entirely under their control.

Another trend online is for Web-based services to streamline access by letting users log into each others' sites with the same usernames and passwords. Facebook and other services have begun to do this, raising possible security risks.

The lesson from Twitter's latest security troubles is an old one: Use strong passwords, which include some combination of letters and numbers, and for companies, be careful about how many accounts are linked to the same username and password combination.

©2009 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

Explore further: Study shows role of media in sharing life events

add to favorites email to friend print save as pdf

Related Stories

Some Twitter staff accounts reportedly hacked

Jul 15, 2009

A hacker believed to have struck celebrity Twitter accounts previously has reportedly broken into accounts of the microblogging service's workers including co-founder Evan Williams.

Spears, DeGeneres Twitpic accounts hacked

Jun 29, 2009

(AP) -- Hackers have broadcast bogus information about celebrities including Britney Spears and Ellen DeGeneres after breaking into their Twitpic accounts.

Twitter dabbling with verifying identities

Jun 13, 2009

Authenticity badges were popping up at Twitter on Friday as the popular micro-blogging service tested a way to verify that people tweeting are who they claim to be.

Twitter co-founders are mum on revenue plans

May 27, 2009

(AP) -- Twitter Inc.'s co-founders say the rapidly growing online communications company will eventually charge fees for its services, but it's unclear which ones and what will drive revenue.

Recommended for you

Study shows role of media in sharing life events

14 hours ago

To share is human. And the means to share personal news—good and bad—have exploded over the last decade, particularly social media and texting. But until now, all research about what is known as "social sharing," or the ...

UK: Former reporter sentenced for phone hacking

21 hours ago

(AP)—A former British tabloid reporter was given a 10-month suspended prison sentence Thursday for his role in the long-running phone hacking scandal that shook Rupert Murdoch's media empire.

Evaluating system security by analyzing spam volume

22 hours ago

The Center for Research on Electronic Commerce (CREC) at The University of Texas at Austin is working to protect consumer data by using a company's spam volume to evaluate its security vulnerability through the SpamRankings.net ...

Surveillance a part of everyday life

23 hours ago

Details of casual conversations and a comprehensive store of 'deleted' information were just some of what Victoria University of Wellington students found during a project to uncover what records companies ...

European Central Bank hit by data theft

23 hours ago

(AP)—The European Central Bank said Thursday that email addresses and other contact information have been stolen from a database that serves its public website, though it stressed that no internal systems or market-sensitive ...

Twitter admits to diversity problem in workforce

Jul 24, 2014

(AP)—Twitter acknowledged Wednesday that it has been hiring too many white and Asian men to fill high-paying technology jobs, just like several other major companies in Silicon Valley.

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

Nogero
1 / 5 (1) Jul 15, 2009
Cloud computing really has little to do with it except author's irrational fears. You might as well eliminate remote access for all users too, because if I have a user and password to a corp-no cloud, guess what? I can access email, docs, you name it. Probably MORE access than via the cloud.
PPihkala
1 / 5 (1) Jul 15, 2009
One thing that could help would be to restrict the originating IP's that are allowed for contact. Most users use only few places to access their online resources. And therefore the resource sites could lock out the other places and therefore hacking attempts. One thing to work out is how to validate the allowed IP's without making it too difficult for legimate users.