The BBC reports that Twitter is speaking with lawyers after over 300 documents were hacked and then published on the web. As reported yesterday, TechCrunch has published some of the documents that did not contain personal information. But the hacked documents being published are not the only security problem Twitter is dealing with this week.
As to the documents obtained by “Hacker Croll” and that are appearing on the web:
“We are in touch with our legal counsel about what this theft means for Twitter, the hacker and anyone who accepts…or publishes these stolen documents, ” said Twitter’s Biz Stone.
In a blog posting he wrote that “About a month ago, an administrative employee here at Twitter was targeted and her personal email account was hacked.
“From the personal account, we believe the hacker was able to gain information which allowed access to this employee’s Google Apps account which contained Docs, Calendars and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company.”
BBC blogger Rory Cellan-Jones notes that he
spoke to the French blogger Manuel Dorne, who was the first to receive the file from “Hacker Croll” – who’s apparently based in France. He told me the documents included credit card numbers and personal account details from Apple’s Mobile Me service.
In the meantime, the Associated Press reported that for the third time this year, a Twitter breach was due to an employee having a weak password that was easily guessed:
Co-founder Biz Stone wrote in a blog posting that the personal email of an unnamed Twitter administrative employee was hacked about a month ago, and through that the attacker got access to the employee’s Google Apps account.
Separately, the wife of co-founder Evan Williams also had her personal email hacked around the same time, Stone wrote. Through that, the attacker got access to Williams’ personal Amazon and PayPal accounts.
Stone said the attacks are “about Twitter being in enough of a spotlight that folks who work here can become targets.”
Robin Wauters of TechCrunch reports that the password to the servers was, literally, “password,” and discusses the “culture of lax security” at Twitter:
With that in mind, we have some friendly advice for Twitter. For instance, it would be wise if in the future Twitter insiders do not use the password “password” for the back ends of its systems or one of its co-founder’s names (Jack) as a username.
Wauters emphasizes that the “password” and “Jack” issue
has absolutely nothing to do with the other security breach we’re publishing ongoing reports about and which Twitter has already publicly responded to. We notified Twitter about this breach as well, and waited until they took action to close it off before posting.
So.. what will Twitter’s next move be about the publication of documents that were hacked? And will these latest embarrassments result in them really hardening their security and protection of personal information? Stay tuned.