Updated with comment from Twitter: A number of purportedly authentic internal Twitter documents, containing information of both a corporate and personal nature, were delivered to TechCrunch yesterday by an unknown person, who also threatened to release them publicly. At least 310 separate items were obtained, including important strategic documents like “executive meeting notes, partner agreements and financial projections” as well as more mundane items such as the “meal preferences” of various Twitter employees. Putting aside the question of whether or not the documents should be made public, there is a lot we don’t know about how the data was obtained.
It seems likely, based on a post by TechCrunch founder Mike Arrington, that the documents were taken via Google’s (s goog) Gmail or Docs cloud applications, most likely by utilizing the service’s password recovery system to reset the password and gain unauthorized access to a corporate Twitter account. Arrington claims that Twitter uses easy-to-guess passwords and recovery questions, and that such an approach opens the company up to serious data breaches like this. That would mean this isn’t a “cloud” privacy issue, per se, like the one that Om worried about when Google Docs was first released. Rather it would be an issue of companies using poor authentication and password protocols to secure their data.
The Twitter data breach may have been the work of a disgruntled employee (very common in corporate espionage cases), a competitor trying to discredit the company — even a bored teenager hanging out on 4Chan. We won’t know what actually happened until more information comes to light, and an investigation on the part of law enforcement officials (which is definitely coming) is undertaken. I suspect it comes down to poor data handling and security on Twitter’s part, and weak password reset protocols on the part of Google — not some fundamental weakness of the “cloud.”
We have reached out to Twitter and will update if and when we hear back.
Updated: Twitter co-founder Biz Stone has updated the official Twitter Blog with more information about the breach. Biz says that the personal email account of an “administrative employee” at Twitter was “hacked” — though he doesn’t say exactly what “hacked” means. From that account, the party was able to access the employee’s Google Apps account, including those that Twitter uses to share “notes, spreadsheets, ideas, financial details and more within the company.”
Biz notes that the attack had nothing to do with Google Apps (which the company will continue to use), and is not about any flaw with the cloud — instead, “it speaks to the importance of following good personal security guidelines such as choosing strong passwords.” He emphasizes that no Twitter user accounts were compromised, nor was it a hack on Twitter itself.
Twitter and its legal counsel are discussing what the theft means for the company, the thief, and anyone who “subsequently shares or publishes these stolen documents. We’re not sure yet exactly what the implications are for folks who choose to get involved.” Biz goes on to say that “these docs are not polished or ready for prime time, and they’re certainly not revealing some big, secret plan for taking over the world.” Ah, but perhaps there is a secret plan for making some revenue, or even a profit! That WOULD be newsworthy.
“Nevertheless, as they were never meant for public communication, publishing these documents publicly could jeopardize relationships with Twitter’s ongoing and potential partners;” roughly translated: Arrington, you are so banned if you post anything else.
I doubt this is the last we’ve heard of this scandal.