Twitter Docs Stolen off Gmail. How it was done.

Posted on by

I’m interested to document how French hacker “Hacker Croll” was recently able to steal sensitive company documents from Twitter.

My interest in this is to inform myself and hopefully others as to how to safeguard ourselves as best we can from suffering similar fates in future.

What I have gleaned so far:

From TechCrunch yesterday:

“Hacker Croll was able to compromise the Twitter accounts of founder Evan Williams, his wife, and several employees. Using password recovery techniques, Hacker Croll claims he gained access to various Paypal, Amazon, Apple , AT&T, MobileMe and Gmail accounts.  Evan Williams… confirms:

Yes, we did suffer an attack a few weeks ago and are familiar with this list of stuff. This is unrelated to the hack of twitter where someone gained access to user’s accounts. This had nothing to do with the security of twitter.com, and there were no user accounts compromised here.

Some notes:
- He did not actually gain access to my @ev Twitter account (or any Twitter accounts) nor any administrative functions of the site.
- There is also no evidence that he gained access to my email. There was one administrative employee who’s email was compromised, as was my wife’s Gmail account, which is where he got access to some of my credit cards and other information.
- He also successfully targeted a couple other employees personal accounts (Amazon, AT&T, Paypal…)

In general, most of the sensitive information was personal rather than company-related. Obviously, this was highly distressing to myself, my wife, and other Twitter employees who were attacked. It was a good lesson for us that we are being targeted because we work for Twitter. We have taken extra steps to increase our security, but we know we can never be entirely comfortable with what we share via email.

Above and below are purported screenshots of Williams’ accounts on Twitter, Gmail, and GoDaddy. He claims he was able to access Twitter’s domain name account on GoDaddy and could have redirected the traffic to another IP address (I’m sure that would have worked for about three minutes).  The Gmail access, if true, would have been more troubling.  Once the hacker got into @ev’s Gmail account, password recovery for other accounts was easy.  He claims to have gained access to some internal documents, including projections for reaching 25 million users in 2009, 100 million in 2010, 350 million in 2010, and an outlandish goal to eventually become the first Internet service to reach one billion users. So maybe some corporate information was compromised.

And from PC World today:

“…what’s strange about the hack of Twitter’s Gmail accounts is that Google’s security process is not as simple as Yahoo’s allegedly was at the time of the Palin hack.

On the password recovery page, Google asks you for your username, and then requires you to enter a CAPTCHA. Then Google sends a link to the e-mail address you originally entered when you signed up for a Google account. If you don’t have access to that account, Google will not allow you to access your account by answering your security question until 24 hours after you’ve received the security e-mail at your alternate account. Yahoo Mail currently uses a similar password recovery method.

It’s not clear if this security measure was in place at the time Hacker Croll accessed the Gmail accounts associated with Twitter, but it does serve as a reminder that you must keep your information up to date and choose a security question that will be difficult for a hacker to figure out.”

“…Twitter co-founder Evan Williams was contacted byTechCrunchto confirm the document theft. Williams reportedly confirmed that Twitter did suffer an attack several weeks ago…

Williams told TC the company is familiar with the list of information Hacker Croll obtained… The Twitter co-founder confirmed the hacker gained access to his wife’s Gmail account — where some of Williams’ credit card information was stored — as well as an administrative employee’s Gmail account and a number of personal accounts of other Twitter employees. Williams says Hacker Croll did not gain access to William’s Gmail account, and that Twitter has now taken further security measures to guard company property and internal documents.”

This suggests that the hacks were on Gmail accounts (not Google Apps although the above does not rule out that here might have been additional hacks on other stuff, such as Google Apps). If the original point of entry by the hacker were the personal email accounts of various employees (and even relatives of employees, such as Williams’ wife), how did this lead to so many sensitive company documents being compromised? I am left wondering why so much sensitive company documentation would be found on personal Gmail accounts of employees.

There’s also the rather interesting tidbit (take that as a warning!) that Williams’ credit card info was somehow stored within his wife’s Gmail account. A big no no for sure! I can’t think of any good reason to ever keep your credit card number stored digitally somewhere that you can control (not including merchants’ databases that obviously store your CC info when you transact with them). The card’s in your wallet, why keep the number online somewhere else as well?

I’ll post more as other details emerge, if indeed they do.

Update 1: Twitter co-founder Biz Stone posted this morning at 11.15am providing some clarity on what happened. Some of the salient excerpts:

“About a month ago, an administrative employee here at Twitter was targeted and her personal email account was hacked. From the personal account, we believe the hacker was able to gain information which allowed access to this employee’s Google Apps account which contained Docs, Calendars, and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company.”

So as I suspected, Twitter is using Google Apps and that was where presumably the majority of those hundreds of stolen docs came from. Still interesting though is how the hacker was able to get from the personal email account of one employee into that employee’s Google Apps account. Why are employees co-mingling personal email with business? I never ever do that myself and believe it’s generally a poor practice, not just for security reasons but for several others as well.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>