The hacker who broke Twitter’s rather feeble security last month was able to find and copy confidential documents because they were shared between Twitter employees using Google’s web apps.
A hacker calling himself Croll broke into a Twitter worker’s email account and from there found his way into the worker’s Google Apps account, where Twitter stores spreadsheets and documents containing business plans and financial details, admitted Twitter founder Biz Stone earlier this week.
The hacker also accessed the email of the Twitter CEO Evan Williams’ wife, discovering details of her personal Amazon and PayPal accounts.
The hacker sent the documents to two tech blogs, TechCrunch and Korben, along with personal information about Twitter employees including credit card numbers.
Despite the breach, Stone claims it doesn’t highlight a fundamental flaw in web apps, but rather the need for companies and individuals to use stronger passwords. With everyone on Twitter sharing every detail of their lives for all to see, the usual password sources, such as the names of kids and pets, are all in the public domain, enabling even the dumbest hacker to make an educated guess.
Instead of laboriously hacking through Twitter’s security measures, Croll simply answered the personal questions from Google’s Gmail – such as ‘What is your pet’s name?’ – to reset the passwords.
Twitter has now called in the lawyers, although it isn’t clear if the intention is to take action against the hacker or TechCrunch, which published details of Twitter’s plans to move from an income of absolutely nothing at all to $1.5 billion by 2013.
There is, of course, a simpler route to security on the web – introducing the death penalty for hacker scum.