Twitter’s embarrassing security lapses

Wednesday 15 July 2009 | By Heidi Scott, Gosh! Media Copywriter

Tags: Privacy, Security, Social Networking

Real-time social messaging service Twitter has been fessing up over the slack security that allowed a hacker to access the personal web services accounts of co-founder Evan Williams, his wife and at least one other employee, making off with a pile of confidential Twitter documents which are now being published on the Internet.

Twitter, which has suffered a number of security breaches in the past, has given a detailed account of the matter on its site and claims that, since the attack, it has undertaken a security audit and reminded its staff of the importance of adhering to personal security guidelines.

In an entry on its blog, Twitter says, "First, it's important to note how these documents were stolen. In this case, a Twitter employee used the same non-unique password on multiple services. A hacker gained access to our business documents because this common password was retrievable on an unrelated system. If you've ever used the same password on more than one service, you've made the same mistake that lead to this theft – it's a web wide issue. Random password generators as well as two-factor authentication for more sensitive systems are now mandatory at Twitter, Inc."

What actually happened was that, about a month ago, an administrative employee at Twitter had her personal email attacked, giving the hacker the information required to access her Google Apps account. This contained documents, calendars and other Google Apps that Twitter uses to share internal data.

However, Twitter was quick to steer blame clear of Google, stating, "This attack had nothing to do with any vulnerability in Google Apps which we continue to use….This isn't about any flaw in web apps, it speaks to the importance of following good personal security guidelines such as choosing strong passwords." The company also pointed out that Twitter user accounts were not compromised, although it admitted that a screenshot of one person's account was among the sensitive data, adding, "We contacted that person and recommended changing their password."

The matter is undoubtedly embarrassing for Twitter, whose success – ironically – is based on rapid sharing of information. The company was clearly unnerved by the experience, admitting: "Out of context, rudimentary notes of internal discussions will be misinterpreted by current and future partners jeopardizing our business relationships." Although Twitter has tried to put a positive spin on the debacle, its concerns are evident: "We're doing our best to reach out to these folks and talk over any questions and concerns. However, our goal remains focusing on the most important business at hand –¬ creating value for users and building the best possible Twitter service."

The Twitter blog went on to quote Internet pundit Peter Kafka, who quipped in his MediaMemo column on the All Things Digital site that the affair was "akin to having your underwear drawer rifled: Embarrassing, but no one's really going to be surprised about what's in there" – an analogy that Twitter described as "apt".

Gosh! Media believes that these events will raise further concerns over 'cloud computing', whereby work data are stored on servers accessed via the Internet. Despite Twitter's non-accusatory comments, Google will be in the spotlight because much of the Twitter data was stolen after the hacker used Google's 'password recovery' system. One thing's for sure: when it comes to security, we all need to think a little further than the name of the family dog or our beloved first-born!

Back to industry news