Hacker Exposes Private Twitter Documents

By Claire Cain Miller and Brad Stone

Update | 3:54 p.m. TechCrunch has published some financial projections of Twitter. For the end of 2013: 1 billion users, $1.54 billion in revenue, 5,200 employees and $111 million in net earnings. More information at end of this post.

Update | 2:30 p.m. Adding statements from Twitter and Google.

Twitter

Twitter, which is generally quite private about its business plans, has fallen prey to an attack by a hacker who has apparently exposed confidential corporate information.

The hacker claims to have private documents, including confidential contracts with Nokia, Samsung, Dell, AOL and Microsoft; the résumés of people who have applied to work at Twitter; personal information about Twitter employees, including credit card numbers; future business plans; and floor plans and security codes for Twitter’s offices.

The breach occurred in May, but on Wednesday, the hacker, who calls himself “Hacker Croll,” leaked a large number of documents unearthed in the attack to TechCrunch and a French blog called Korben. TechCrunch said it received 310 documents.

One internal document the hacker claims to have includes projections that Twitter will have 25 million users this year, 100 million next year and 350 million in 2011, and will eventually become the first Web service to have 1 billion users.

The hacker apparently broke into the Internet accounts of various Twitter employees, including Evan Williams, Twitter’s chief executive, as well as Mr. Williams’s wife, who does not work for Twitter, and two Twitter employees. He claims to have accessed Google Apps, Gmail, PayPal, Amazon, Apple, AT&T and MobileMe accounts.

Biz Stone, one of Twitter’s co-founders, wrote on the company blog Wednesday that the hacker broke into an administrative employee’s personal e-mail account and from there gained access to the employee’s Google Apps account, where Twitter shares calendars, spreadsheets and documents with ideas and financial details.

He said that private company documents were stolen, but Twitter user information was not. “As they were never meant for public communication, publishing these documents publicly could jeopardize relationships with Twitter’s ongoing and potential partners,” Mr. Stone wrote.

Mr. Stone said the attack was not the result of a flaw in Google or other Web applications, but that “it speaks to the importance of following good personal security guidelines such as choosing strong passwords.”

Both of the blogs that have the documents have, so far, been circumspect and have not published any sensational information.

Instead of circumventing any actual security measures, the hacker managed to correctly answer the personal questions that some Internet sites ask when users need to reset their passwords.

The hacker posted screen shots of the various accounts at the time and claimed to have also gotten control of Twitter’s domain name account, which would have allowed him to redirect Twitter visitors to another site.

On Tuesday, Mr. Williams confirmed the break-in to TechCrunch and said that no Twitter user accounts were compromised. Mr. Williams said the hacker did access a Twitter employee’s account and his wife’s Gmail account, where he found information like Mr. Williams’s personal credit card numbers.

“Obviously, this was highly distressing to myself, my wife, and other Twitter employees who were attacked,” Mr. Williams told TechCrunch. “It was a good lesson for us that we are being targeted because we work for Twitter. We have taken extra steps to increase our security, but we know we can never be entirely comfortable with what we share via e-mail.”

The attack could reinforce the notion that storing sensitive documents on cloud-based Web services, like Gmail, is dangerous for companies and celebrities.

“Using Google apps and Gmail is great for personal use,” said Lori MacVittie, a technical marketing manager with the networking firm F5 Networks. “But from a corporate perspective, I just can’t see putting something out there that is so able to be compromised and has been on numerous occasions in the past.”

A Google spokesman said: “We are highly aware of the importance of our users’ data, and we have extensive policies and procedures in place to help provide high levels of data protection.” He said he could not comment on the specifics of this situation.

So far, the person behind the French blog, whom the BBC identified as Manuel Dorne, has only released some relatively innocuous information and has gone so far as to blur out what is written on images of Twitter merchandise like T-shirts and baseball caps. He said he was doing so because he was a fan of Mr. Williams and Twitter.

TechCrunch, run by Michael Arrington, said it had spent hours deciding which documents to publish and had determined that it would not publish floor plans, office security codes or résumés of people who applied to Twitter but remain at other companies. It said it would, however, publish documents with business plans and projections. It has already posted a pitch for a Twitter TV show, news of which leaked in the spring.

Internet commenters are torn over whether the hacked documents should be made public. Hundreds of readers responded to TechCrunch, many saying the blog should not publish the confidential documents.

Last September, in a similar attack, a hacker gained access to vice presidential candidate Sarah Palin’s Yahoo e-mail account by using her birthday and ZIP code and correctly answering the security question about where she met her spouse. Her personal e-mail messages were then published by the gossip site Gawker.

Both episodes demonstrate that the risks of exposure are particularly high for people who live their lives out in the open and whose personal details are widely known.

“A lot of the Twitter users are pretty much living their lives in public,” said Chris King, director of product marketing of Palo Alto Networks. “If you broadcast all your details about how you are living your life and what your dog’s name is and what your hometown is, it’s not that hard to figure out a password. Those are the pretty typical questions that people use for password recovery.”

The hacker also seems to have wanted to reinforce that notion. In an e-mail to Korben, the French blog, he wrote that he hoped his attack would make internet users “conscious that no one is protected on the Net.”

“Security starts with simple things like the secret questions, whose utility many people ignore, and the impact that that can have on their private lives if a pirate was able to circumvent them,” he wrote.

TechCrunch has published some financial information:

Twitter expected their first revenue to come in Q3 2009 (which is now). A modest $400,000 was expected, followed by a more robust $4 million in Q4. The document also shows Twitter’s projected user growth (25 million by the end of 2009), which it has absolutely blown through already. By the end of 2010, Twitter expected to be at a $140 million revenue run rate.

Comments are no longer being accepted.

Michelle McDonald July 15, 2009 · 3:09 pm

I dislike those password recovery questions. They’re becoming increasingly weird and intrusive, and you usually can’t make your own or leave them blank. I’ve also had the problem of forgetting the answer– which is especially bad when you’re in a store, with your photo ID, and they’re reluctant to access your account without the correct answer.

Now on top of that, they’re a security hole. Awesome.

Kushal July 15, 2009 · 3:12 pm

I understand that there are security issues with cloud-based systems. However, I fear that more stringent measures would cure the disease but kill the patient.

Lets take for example an imaginary case where Gmail might suspend someone’s Gmail account for 24 hours if there are five unsuccessful login attempts within an hour.

All you need to do to sabotage someone’s gmail access would then be to just try five times and fail. Life disrupted. Cracker succeeded. Me left crying … :(

Marshall July 15, 2009 · 5:01 pm

Use longer, more random passwords, and store them securely.

I use KeePass, which is free, open source, and secure. It will even generate random passwords for you, if you are creating a new account or changing your existing passwords.

Big Bret Harris July 15, 2009 · 5:07 pm

This kind of thing is exactly why I never use computers.

Rob July 15, 2009 · 5:24 pm

Holy Moly.

That is absolutely THE WORST pitch I have ever read.
The synopsis makes no sense, has grammatical errors all over and it never says what might happen.

No Examples AT ALL.

no wonder twitter passed and went with the other one.

Larry July 15, 2009 · 5:24 pm

I found the comment that no user accounts had been compromised, yet obviously this is not true; to be quite funny.

As someone else wrote, it’s one thing to put innocuous personal stuff on Google Docs or social networking site; but important corporate docs? That borders on negligence.

And another thing: how can someone with theoretical technical sophistication have used such an easily guessed password, etc.?

Janet V July 15, 2009 · 5:27 pm

All services that require a security question should let you write your own questions, always. When I can do that, the way some common question is worded is a key to me, and only me, which nonsensical or blatantly wrong answer is correct. For those that don’t, I only give wrong answers.

Andrew July 15, 2009 · 5:48 pm

Doesn’t add up — Google Apps doesn’t have password recovery questions.

Kennewick Man July 15, 2009 · 5:57 pm

There’s a simpler solution to the password recovery questions that I’ve seen published in a number of places.

Just come up with a favorite quote or phrase that’s short and easy to type in. Just use that as the stock answer for whatever question you use for recovery. There’s never a rule stating that your answer must make sense to the question and that way you only have one thing to remember and it’s very difficult to break.

Jose July 15, 2009 · 6:10 pm

Big Bret (comment # 4), did your butler read you the article and type in your response?

tjallen July 15, 2009 · 7:02 pm

Isn’t publishing the stolen info a crime?

Ron S July 15, 2009 · 7:10 pm

I hate to see cloud apps thought of as inherently insecure. Rather, I would like to see additional measures taken to enhance security so that businesses could feel comfortable using the products. For example, let a google apps user specify a security level that must be met for those who view their documents. “Sally has rights to view my document _IF_ her password is sufficiently difficult.” OK so Sally won’t be able to use her dog’s name any more (I’ve always wanted to name my dog “password”), but in the end everyone wins.

Al July 15, 2009 · 7:20 pm

I have never understood the appeal of “the cloud”. It seems senseless. I want to control my own data on my own machine with my own backups. Even if one is not hacked in the cloud what about data becoming lost. and I don’t even have sensitive data having been retired for 15 years.

Volt Rare July 15, 2009 · 7:40 pm

“He [the Hacker] said he was doing so because he was a fan of Mr. Williams and Twitter. ”

I appears that there is a new category of over-obsessed “fan”:

The Cyber Stalker

David Levner July 15, 2009 · 7:58 pm

Security questions can definitely cause problems. One alternative (though it’s not perfect) is to allow a person who has forgotten his/her password to request an e-mail containing a new, randomly-generated password. The new password must be used quickly or else it expires.

When I am asked security questions, I give answers such as “xfjdpajgoihdn”. That way, no one will ever guess the answer. With such answers, I better remember my passwords–I store them in an encrypted file on a computer that is not connected to the Internet.

Tom Morrow July 15, 2009 · 9:03 pm

David Levner, I assume you don’t use priceline or vanguard, both of which ask me security questions on a regular basis as a normal part staying logged in.

All we need are RFIDs implanted in the skull upon birth, and tinfoil hats for situations where we don’t want to expose our identity.

Nicholas July 15, 2009 · 9:06 pm

a billion users? pretty sure this fad will fade faster than you can say myspace. it’s just another commodity which can (and will) be easily replicated and since it is such a one-dimensional service.

it won’t have the traction of the inevitable imitators fron=m Google and Microsoft, who will have the ability to integrate their similar services into their existing products and crush twitter.

SS July 15, 2009 · 10:29 pm

Big Bret (#4) that was hilarious bro …
May be you should stop breathing if someone belched in the room :-)

o’leary July 15, 2009 · 11:56 pm

The comments here focusing on use of the “cloud” or Google Apps are missing the point *completely*. This could very easily have happened on a traditional platform. How? Exchange servers with IMAP enabled (increasingly common in order to support iphones) can be used to access a person’s complete email history. Anyone who uses email in a corporate setting should be well aware that people email back and forth sensitive documents all the time, and those are therefore ripe for the picking if you can just get into their email. All that stands in your way is a guessable password.

Moral of the story: This is all about password security. Choose a hard-to-guess password (and forgotten-password questions), do not reuse passwords across services, and change them periodically. It’s just common sense.

nanciesweb July 16, 2009 · 7:07 pm

What about just giving a “wrong answer” to the question? All the answers to my questions are actually wrong – but like my passwords, they make sense to me so I can remember them.

Rob July 16, 2009 · 8:10 pm

How could any corporate IT professional worth his/her salt ever consider adopting Google Docs as the company productivity solution after this incident?

“hey boss, I saved us some money but now all of our confidential documents and email are readily available on the internet . You may wnat to consider telling your wife about your girlfriend in LA”

carpochica July 17, 2009 · 3:20 am

Wonder what TechCrunch paid off the hacker for the info…

MooHoo July 17, 2009 · 10:18 am

Can someone enlighten me as to why TechCrunch should not be charged with illegal posession and trafficing in stolen properties?

Conveyor of The Truth August 6, 2009 · 7:30 pm

@MooHoo

Agreed. Possession and/or trafficking of stolen or otherwise unlawfully obtained material in any shape or form–including digital or print–if not already against the law, ought to be made so.

Obama`s fan September 4, 2009 · 11:03 am

Whoever takes part in the crime – in that case it would be publishing the Twitter legal corp docs- is doing agains the law and should be punished. ..