Computerworld Archive

What we can all learn from the Twitter security breach

Article comments

I can't help but feel sorry for Twitter. They have been having a terrible time.

A couple of days ago it was revealed that the French hacker who broke into their internal systems a couple of months ago, had been up to mischief again.

Last time Hacker Croll had gained access to the Twitter administration console, giving him access to the accounts of millions of Twitter users. His intention seemed to be to embarrass the micro-blogging network as he posted screenshots revealing that he'd been able to access private information regarding the accounts of the likes of Barack Obama, Britney Spears, Ashton Kutcher and Lily Allen.

How had the hacker wormed his way in? By resetting the employee's Yahoo password after guessing the answer to their online "secret question" and finding the information about their Twitter login credentials inside.

Now it has become clear that Hacker Croll has also stolen confidential corporate documents and shared the information with popular website TechCrunch.

TechCrunch founder Michael Arrington says his site was sent 310 documents, including information about employees, their credit card numbers, confidential contracts with the likes of Nokia, AOL and Microsoft, email conversations with show business celebrities, phone numbers, plans for a TV show, financial projections, meeting reports and salary information.

Again, online email systems and poor password security appears to have been the weak link. A Twitter employee was using the same password on more than one website, and the hacker was able to determine it. This opened a treasure trove of corporate information that the company was storing in Google Docs, Google Calendars and Gmail.

Before any of us feel too smug about this - ask yourself this question: Do you use the same password on multiple websites? Because research conducted by Sophos shows that 33% of people do precisely that all the time.

Very few computer users seem to have woken up to the risks of using weak passwords and the same ones for every site they visit. With social networking and other internet accounts now even more popular, there's plenty on offer for hackers and by using the same password to access Facebook, Gmail and your Ebay account, you're making it much easier for them.

In the case of the Twitter security leak, for instance, it's even reported that the hacker gained access to Twitter's domain name account on GoDaddy and could have redirected the traffic to another IP address, perhaps with malicious intent.

I suspect that the people at Twitter have learnt their lesson now. They have reportedly told their staff to change their passwords to unique, non-dictionary words, are introducing two factor authentication, and have advised their millions of users to never use the same password on multiple websites. Of course, there is more they could be doing to better protect their users - but at least they're making a start.

If I were one of the bosses at Twitter I would be feeling pretty embarrassed by what's happened, but I would also have some other emotions.

I'd be angry with the hacker for breaking in, and acting irresponsibly by not reporting the problem directly to the company rather than the world at large.

I'd be disgusted with TechCrunch, which seems to have adopted a holier-than-thou position on the leak, eager to publish confidential information - not for genuine reasons of public interest, but more in the voyeuristic style of a paparazzi.

But most of all, I'd be relieved that Hacker Croll didn't use the information he uncovered to cause much more serious problems for the organisation, that could have impacted all of its users.

Graham Cluley is senior technology consultant at Sophos, and has been working in the computer security field since the early 1990s. When he's not updating his other blog on the Sophos website you can find him on Twitter at @gcluley.

Email this to a friend

* indicates mandatory field

ComputerWorldUK Webcast