Blog Post

Updated: Many Unknowns In Twitter Document Breach

Updated with comment from Twitter: A number of purportedly authentic internal Twitter documents, containing information of both a corporate and personal nature, were delivered to TechCrunch yesterday by an unknown person, who also threatened to release them publicly. At least 310 separate items were obtained, including important strategic documents like “executive meeting notes, partner agreements and financial projections” as well as more mundane items such as the “meal preferences” of various Twitter employees. Putting aside the question of whether or not the documents should be made public, there is a lot we don’t know about how the data was obtained.

It seems likely, based on a post by TechCrunch founder Mike Arrington, that the documents were taken via Google’s (s goog) Gmail or Docs cloud applications, most likely by utilizing the service’s password recovery system to reset the password and gain unauthorized access to a corporate Twitter account. Arrington claims that Twitter uses easy-to-guess passwords and recovery questions, and that such an approach opens the company up to serious data breaches like this. That would mean this isn’t a “cloud” privacy issue, per se, like the one that Om worried about when Google Docs was first released. Rather it would be an issue of companies using poor authentication and password protocols to secure their data.


The Twitter data breach may have been the work of a disgruntled employee (very common in corporate espionage cases), a competitor trying to discredit the company — even a bored teenager hanging out on 4Chan. We won’t know what actually happened until more information comes to light, and an investigation on the part of law enforcement officials (which is definitely coming) is undertaken. I suspect it comes down to poor data handling and security on Twitter’s part, and weak password reset protocols on the part of Google — not some fundamental weakness of the “cloud.”

We have reached out to Twitter and will update if and when we hear back.

Updated: Twitter co-founder Biz Stone has updated the official Twitter Blog with more information about the breach. Biz says that the personal email account of an “administrative employee” at Twitter was “hacked” — though he doesn’t say exactly what “hacked” means. From that account, the party was able to access the employee’s Google Apps account, including those that Twitter uses to share “notes, spreadsheets, ideas, financial details and more within the company.”

Biz notes that the attack had nothing to do with Google Apps (which the company will continue to use), and is not about any flaw with the cloud — instead, “it speaks to the importance of following good personal security guidelines such as choosing strong passwords.” He emphasizes that no Twitter user accounts were compromised, nor was it a hack on Twitter itself.

Twitter and its legal counsel are discussing what the theft means for the company, the thief, and anyone who “subsequently shares or publishes these stolen documents. We’re not sure yet exactly what the implications are for folks who choose to get involved.” Biz goes on to say that “these docs are not polished or ready for prime time, and they’re certainly not revealing some big, secret plan for taking over the world.” Ah, but perhaps there is a secret plan for making some revenue, or even a profit! That WOULD be newsworthy.

“Nevertheless, as they were never meant for public communication, publishing these documents publicly could jeopardize relationships with Twitter’s ongoing and potential partners;” roughly translated: Arrington, you are so banned if you post anything else.

I doubt this is the last we’ve heard of this scandal.

12 Responses to “Updated: Many Unknowns In Twitter Document Breach”

  1. Griffon

    Yeah… I kind of wish that techcrunch had taken a pass…. these are not smoking gun documents that the release of can be seen to serve the public good, even in some offhand way. There is a world of difference printing a little ink around what one get’s from some inside contacts over lunch and useing stuff burgled in this fashion, and the techcrunch line about news is what they don’t want you to print… blahblah just dose not hold up IMO. The whole thing is so valley wag, in the worst possible way. Ah well, so the valley turns… I’m going to do my best to tune the rest of this out.

  2. Some of the docs have already shown up on Techcrunch. From my perspective far to many companies including many Fortune 2000 types don’t pay enough attention to security issues. This is one of the reasons we hear so much about breaches after the fact. I think Twitter will all the publicity should have expected the possibility of an event and hired someone – outsourced or otherwise to provide the troops with do’s and don’t and to tighten up logical security systems.

  3. You can’t rely on third party applications like google doc for keeping up your confidential documents. I also think this whole episode is fabricated by Arrignton who is always interested in spreading rumors and creating controversies in order to gain some mileage.

  4. >I suspect it comes down to poor data handling and security on Twitter’s part, and weak password reset protocols on the part of Google — not some fundamental weakness of the “cloud.”

    But part of the Twitter weakness was having documents outside the domain of their control, and hence, that is part of the fundamental weakness of the ‘cloud’.

    • Yes, that’s true — and one of the major trade-offs of the cloud.

      “Physical access is access,” as the saying goes. With the cloud, you (and everyone else) has “physical” access from anywhere. Sort of.

    • Richard

      Passwords aren’t really enough to keep confidential data secure in the cloud. Just like traditional VPN access, companies that are serious about security should require use of two-factor authentication – a password known by the user, AND a randomly-changing number generated by a hardware token. In fact this is what my company uses for employees needing web access from outside the firewall to the internally-hosted corporate email.

      I don’t know if Google Apps offers this, but it really needs it to make a dent in the corporate market.