A French hacker going by the alias Hacker Croll recently discovered a security vulnerability and attacked Twitter. Apparently, Croll managed to gain access to Twitter’s internal documents and distributed it to many technology news sites. Twitter responded via two blog postings stating that the attack was limited to stolen internal documents and Twitter accounts were not compromised like before. Further, the company is looking into legal action, if applicable, to web sites that publish and re-distribute the leaked documents.
According to an online interview conducted by TechCrunch, the hacker first gained access to an administrative employee’s GMail account through password recovery options and after sifting through her emails, discovered a confirmation email to a website complete with user login credentials (e.g. user id and password). Like many modern day web users, her password was used among various websites, including Google Docs, which Twitter uses internally. Once Croll had access to Google Docs, he essentially had carte blanche of all meeting notes, company strategy documents, financial projects and many other internal business documents. Twitter has since updated their company password policy and reviewed the company’s security.
As the documents are freely available online, I don’t believe there’s any benefit to be gained from re-publishing them. Instead, I’ll offer my analysis of the situation and how it may have been avoided all together.
This whole situation could have been prevented had Twitter used an internal shared drive instead of relying on Google Doc’s cloud based service. However, this would have been both time and cost prohibiting having to install Microsoft licensed software on all computers while developing a reliable and robust shared network. Remember, Twitter experienced phenomenal growth in 2009 and their #1 objective is to ensure service uptime and usability, as a result, something as menial like Word processing was not high on the priority list. A lesson that could be learned here is that although cloud services are a valid alternative to local installations, one must also consider the possibility of having too much reliance in the cloud. A possible solution I recommend to family and friends is if they choose to use the same password for all websites, they should append random characters to that password that is unique to each website. For example, my default password is: pa55w0rd but for Yahoo, I would use yahoopa55w0rd and for Google I would use googlepa55w0rd (in this example it’s website + password). Be creative and make each password unique while retaining key elements can help recall tough to remember secure passwords.
Although the financial impact to Twitter may not be felt immediately, the internal documents did mention competitor and key partner information. This may have damaged potential relationships and perhaps offered developers a glimpse into what Twitter considers “potential acquisition” targets (e.g. TwitPic). The company expects to generate their first revenue dollars in Q3’09 of approximately $400K but did not mention how they intend to do so and given this leak, perhaps may delay any advertising deals well into 2010. I will provide an in-depth cost analysis in the near future as I believe Twitter may become a victim of their own success if management does not focus on the right objectives, given the sky rocketing user base combined with relatively high carrier service costs.