A recent leak of internal Twitter documents has been portrayed as a weakness in the entire concept of online software such as Google Apps. But, like so many technical problems, it appears human imperfections may be to blame.
The leak involved hundreds of documents ranging from the serious (including financial projections and employee credit card details) to the trivial (lunch preferences). They were offered to some media outlets, with TechCrunch publishing details of a proposed TV show based on the company, to be titled “Final Tweet”.
Twitter accounts themselves have not been compromised and no user details are among the information obtained by the hacker. However, it appears this is the same hacker who gained access to Twitter’s account administration section in May and uncovered details of celebrity users who had blocked people from contacting them.
In this incident, the documents were obtained from a Google Apps account used by a Twitter employee. That’s caused some conjecture that Google Apps is inherently unsafe as a way for company’s to store documents, with another argument being that security on the service is only as good as the password you use. And there’s certainly a point to be made that Google’s synchronized suite, which makes life easier for users, also helps hackers in that you only have to breach one element of a user’s account to get access to their data from multiple applications.
However, latest reports say the hacker did not have to guess (or rather use a computer to figure out) the Google Apps password. Instead they found it listed in an e-mail in a Twitter employee’s Yahoo e-mail account which they had accessed through a bogus password reset.
Yahoo’s password reset system has previously been proven to be far too open to abuse: a hacker used the same tactics to access Sarah Palin’s e-mails last year. But for all the problems with Yahoo and Google’s systems, the whole attack would have never happened if the employee had remembered the basic security rule of never listing a password in an e-mail (and immediately deleting any message they received with such details).