It’s a long article, but very interesting and if you have any interest in keeping a tight reign over the security of data that you keep online (email etc), you owe it yourself to give the TC post a thorough read. Now that we have details as to exactly what occurred and how it was done, my head is spinning with the myriad number of security issues raised by this incident. I plan to write a series of posts in the coming days discussing these issues in greater detail.

I quote here the TechCrunch summary of the attack:

1. HC accessed Gmail for a Twitter employee by using the password recovery feature that sends a reset link to a secondary email. In this case the secondary email was an expired Hotmail account, he simply registered it, clicked the link and reset the password. Gmail was then owned.
2. HC then read emails to guess what the original Gmail password was successfully and reset the password so the Twitter employee would not notice the account had changed.
3. HC then used the same password to access the employee’s Twitter email on Google Apps for your domain, getting access to a gold mine of sensitive company information from emails and, particularly, email attachments.
4. HC then used this information along with additional password guesses and resets to take control of other Twitter employee personal and work emails.
5. HC then used the same username/password combinations and password reset features to access AT&T, MobileMe, Amazon and iTunes, among other services. A security hole in iTunes gave HC access to full credit card information in clear text. HC now also had control of Twitter’s domain names at GoDaddy.
6. Even at this point, Twitter had absolutely no idea they had been compromised.

Source: TechCrunch

WOW! So many things jump right out at me from reading this, including:

1. Sloppy email and password account management by Twitter employees concerned
2. Dangers of mixing work and personal email activities
3. What kind of online footprint you leave by your public participation in social networks, and how vulnerable to attack that can make you (actually this is hinted at not from the above summary account but other details in the TC post)

More to come on this subject in the next few days.

My interest in this is to inform myself and hopefully others as to how to safeguard ourselves as best we can from suffering similar fates in future.

What I have gleaned so far:

From TechCrunch yesterday:

“Hacker Croll was able to compromise the Twitter accounts of founder Evan Williams, his wife, and several employees. Using password recovery techniques, Hacker Croll claims he gained access to various Paypal, Amazon, Apple , AT&T, MobileMe and Gmail accounts.  Evan Williams… confirms:

Yes, we did suffer an attack a few weeks ago and are familiar with this list of stuff. This is unrelated to the hack of twitter where someone gained access to user’s accounts. This had nothing to do with the security of twitter.com, and there were no user accounts compromised here.

Some notes:
- He did not actually gain access to my @ev Twitter account (or any Twitter accounts) nor any administrative functions of the site.
- There is also no evidence that he gained access to my email. There was one administrative employee who’s email was compromised, as was my wife’s Gmail account, which is where he got access to some of my credit cards and other information.
- He also successfully targeted a couple other employees personal accounts (Amazon, AT&T, Paypal…)

In general, most of the sensitive information was personal rather than company-related. Obviously, this was highly distressing to myself, my wife, and other Twitter employees who were attacked. It was a good lesson for us that we are being targeted because we work for Twitter. We have taken extra steps to increase our security, but we know we can never be entirely comfortable with what we share via email.

Above and below are purported screenshots of Williams’ accounts on Twitter, Gmail, and GoDaddy. He claims he was able to access Twitter’s domain name account on GoDaddy and could have redirected the traffic to another IP address (I’m sure that would have worked for about three minutes).  The Gmail access, if true, would have been more troubling.  Once the hacker got into @ev’s Gmail account, password recovery for other accounts was easy.  He claims to have gained access to some internal documents, including projections for reaching 25 million users in 2009, 100 million in 2010, 350 million in 2010, and an outlandish goal to eventually become the first Internet service to reach one billion users. So maybe some corporate information was compromised.

And from PC World today:

“…what’s strange about the hack of Twitter’s Gmail accounts is that Google’s security process is not as simple as Yahoo’s allegedly was at the time of the Palin hack.

On the password recovery page, Google asks you for your username, and then requires you to enter a CAPTCHA. Then Google sends a link to the e-mail address you originally entered when you signed up for a Google account. If you don’t have access to that account, Google will not allow you to access your account by answering your security question until 24 hours after you’ve received the security e-mail at your alternate account. Yahoo Mail currently uses a similar password recovery method.

It’s not clear if this security measure was in place at the time Hacker Croll accessed the Gmail accounts associated with Twitter, but it does serve as a reminder that you must keep your information up to date and choose a security question that will be difficult for a hacker to figure out.”

“…Twitter co-founder Evan Williams was contacted byTechCrunchto confirm the document theft. Williams reportedly confirmed that Twitter did suffer an attack several weeks ago…

Williams told TC the company is familiar with the list of information Hacker Croll obtained… The Twitter co-founder confirmed the hacker gained access to his wife’s Gmail account — where some of Williams’ credit card information was stored — as well as an administrative employee’s Gmail account and a number of personal accounts of other Twitter employees. Williams says Hacker Croll did not gain access to William’s Gmail account, and that Twitter has now taken further security measures to guard company property and internal documents.”

This suggests that the hacks were on Gmail accounts (not Google Apps although the above does not rule out that here might have been additional hacks on other stuff, such as Google Apps). If the original point of entry by the hacker were the personal email accounts of various employees (and even relatives of employees, such as Williams’ wife), how did this lead to so many sensitive company documents being compromised? I am left wondering why so much sensitive company documentation would be found on personal Gmail accounts of employees.

There’s also the rather interesting tidbit (take that as a warning!) that Williams’ credit card info was somehow stored within his wife’s Gmail account. A big no no for sure! I can’t think of any good reason to ever keep your credit card number stored digitally somewhere that you can control (not including merchants’ databases that obviously store your CC info when you transact with them). The card’s in your wallet, why keep the number online somewhere else as well?

I’ll post more as other details emerge, if indeed they do.

Update 1: Twitter co-founder Biz Stone posted this morning at 11.15am providing some clarity on what happened. Some of the salient excerpts:

“About a month ago, an administrative employee here at Twitter was targeted and her personal email account was hacked. From the personal account, we believe the hacker was able to gain information which allowed access to this employee’s Google Apps account which contained Docs, Calendars, and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company.”

So as I suspected, Twitter is using Google Apps and that was where presumably the majority of those hundreds of stolen docs came from. Still interesting though is how the hacker was able to get from the personal email account of one employee into that employee’s Google Apps account. Why are employees co-mingling personal email with business? I never ever do that myself and believe it’s generally a poor practice, not just for security reasons but for several others as well.