We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Lessons to learn from Twitter security breach

PC securityI can't help but feel sorry for Twitter. It's been revealed that the French hacker who broke into Twitter's internal systems a couple of months ago has been up to mischief again, creating more embarrassment for the micro-blogging network.

Last time Hacker Croll gained access to the Twitter administration console, giving him access to the accounts of millions of Twitter users. He posted screenshots revealing that he'd been able to access private information regarding the accounts of the likes of Barack Obama, Britney Spears, Ashton Kutcher and Lily Allen.

How had the hacker wormed his way in? By resetting the employee's Yahoo password after guessing the answer to their online "secret question" and finding the information about their Twitter login credentials inside.

Now it has become clear that Hacker Croll has also stolen confidential corporate documents and shared the information with popular website TechCrunch.

TechCrunch founder Michael Arrington says his site was sent 310 documents, including information about employees, their credit card numbers, confidential contracts with the likes of Nokia, AOL and Microsoft, email conversations with show business celebrities, phone numbers, plans for a TV show, financial projections, meeting reports and salary information.

Again, online email systems and poor password security appears to have been the weak link. A Twitter employee was using the same password on more than one website, and the hacker was able to determine it. This opened a treasure trove of corporate information that the company was storing in Google Docs, Google Calendars and Gmail.

Follow PC Advisor on Twitter

It could have been you

Before any of us feel too smug about this - ask yourself this question: Do you use the same password on multiple websites? Because research conducted by Sophos shows that 33 percent of people do precisely that all the time.

Very few computer users seem to have woken up to the risks of using weak passwords and the same ones for every site they visit. With social networking and other internet accounts now even more popular, there's plenty on offer for hackers and by using the same password to access Facebook, Gmail and your Ebay account, you're making it much easier for them.

In the case of the Twitter security leak, for instance, it's even reported that the hacker gained access to Twitter's domain name account on GoDaddy and could have redirected the traffic to another IP address, perhaps with malicious intent.

I suspect that the people at Twitter have learnt their lesson now. They have reportedly told their staff to change their passwords to unique, non-dictionary words, are introducing two factor authentication, and have advised their millions of users to never use the same password on multiple websites. Of course, there is more they could be doing to better protect their users - but at least they're making a start.

Security news, reviews, tips and walkthroughs

If I were one of the bosses at Twitter I would be feeling pretty embarrassed by what's happened, but I would also have some other emotions.

I'd be angry with the hacker for breaking in, and acting irresponsibly by not reporting the problem directly to the company rather than the world at large.

I'd be disgusted with TechCrunch, which seems to have adopted a holier-than-thou position on the leak, eager to publish confidential information - not for genuine reasons of public interest, but more in the voyeuristic style of a paparazzi.

But most of all, I'd be relieved that Hacker Croll didn't use the information he uncovered to cause much more serious problems for the organisation, which could have impacted all of its users.

See also:

The 10 best Twitter add-ons

Twitter hack spreads porn Trojan

Follow PC Advisor on Twitter

Security news, reviews, tips and walkthroughs

Graham Cluley is senior technology consultant at Sophos, and writes for Computerworld UK. Follow him on Twitter

IDG UK Sites

How to watch the Windows 9 launch event: no live video stream so catch our Windows 9 launch live...

IDG UK Sites

Windows 9 and the death of the OS as a must-have product

IDG UK Sites

Video trends: 4K is here – HDR video, VR and 3D audio is coming

IDG UK Sites

Best iPhone 6, iPhone 6 Plus deals: iPhone 6, iPhone 6 Plus tariffs, contracts and prices UK