Twitter insists that no user information was compromised in the email hack
Email hack leads to major Twitter data breach
/v3-uk/news/1972411/email-hack-leads-major-twitter-breach
15 Jul 2009, Shaun Nichols , V3
A recent system hack targeting a Twitter employee has led to a major data breach at the micro-blogging site.
Twitter co-founder Biz Stone said on Wednesday that the breach exposed a number of internal documents, but that no information regarding account credentials for the Twitter service itself was compromised.
The incident began in May when a French hacker known as 'Hacker Croll' broke into the email account of a Twitter executive, and gained access to a number of documents through the company's Google Apps account.
Earlier this week, the hacker began releasing the documents to a number of news outlets. The items reportedly include information from company meetings, plans for a television programme and details on the security systems at Twitter's headquarters.
Stone assured Twitter users in a blog post that no account information was among the stolen data.
"It's important to note that the stolen documents which where downloaded and offered to various blogs and publications are not Twitter user accounts, nor were any user accounts compromised except for a screenshot of one person's account and we contacted that person and recommended changing their password," he wrote.
"This was not a hack on the Twitter service. It was a personal attack followed by the theft of private company documents."
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093
Do you agree?
This is not really about the innate security or insecurity of cloud computing...
...it's about password security. This hack can happen to any enterprise that makes web-based email available.
Organisations must enforce strong password policy and force their employees to make regular password changes on email accounts.
Employees often demand web-based access to email, and web-based access to email greatly increases the utility of corporate email, but proper security policies should be in place to minimise the risks.
Enterprises should enforce ?strong? password policies as well as regular password changes. I?m not sure if the ?enterprise? version of Google Apps has such a feature to enforce such policies, but it should.
For extra security, webmail can be protected by two-factor authentication (e.g. not just a password, but also a USB token or similar). Many enterprises already do this, though many do not.
Email continues to be the de-facto filing and file transfer system in the enterprise. It?s nearly impossible to change this behaviour, but as the Twitter hack shows; a massive amount of confidential information resides in the email system. Adopting an easy-to-use solution for secure file transfer ? to send files that are large, or contain confidential information ? and encouraging employees to use it, can help solve this problem.
Posted by Keith Crosley, director of market development at email security firm Proofpoint, 17 Jul 2009