Twitter Data Leaked After Hacker Targets Employee E-Mail

 
 
By Brian Prince  |  Posted 2009-07-15
 
 
 

A hacker has gotten a hold of Twitter company information after hacking into the personal e-mail account of an employee. 

The hacker, who goes by the nickname "Hacker Croll," sent hundreds of company documents to TechCrunch and a French blog called Korben. The documents range from contracts with companies such as AOL and Nokia to financial projections and employee credit card information. TechCrunch has published some of the documents, including one pertaining to an idea for a Twitter TV show called "Final Tweet." 

According to Twitter, about a month ago an administrative employee had her personal e-mail account hacked. From the personal account, the attacker was able to gain information that allowed access to the employee's Google Apps account, which contained Docs, Calendars and other Google apps Twitter relies on for sharing notes, spreadsheets and other information within the company. 

The stolen documents that were downloaded and offered to various blogs and publications are not Twitter user accounts, and no accounts were compromised-except for a screenshot of one person's account. This was not a hack on the Twitter service; it was a personal attack followed by the theft of private company documents.

"This attack had nothing to do with any vulnerability in Google Apps, which we continue to use," Twitter co-founder Biz Stone wrote in a blog. "This is more about Twitter being in enough of a spotlight that folks who work here can become targets. ... This isn't about any flaw in Web apps, it speaks to the importance of following good personal security guidelines such as choosing strong passwords." 

The breach follows an incident an April when someone operating under the name Hacker Croll gained access to Twitter's administration panel and posted screenshots of internal data for accounts belonging to a number of celebrities. 

This time around, Hacker Croll claims to have used password recovery techniques to gain access to the Paypal, Apple, AT&T, Amazon, MobileMe and Gmail accounts of several Twitter employees. 

Since the attack, Twitter has performed a security audit and reminded employees of the "importance of personal security guidelines," Stone wrote.

 


Rocket Fuel