Twitter's security breach: a reminder to choose and use web passwords wisely.


Someone who goes by the name of "Hacker Croll" breached the cloud computing accounts of one or more Twitter employees, and obtained access to extremely sensitive personal and corporate documents. I won't link to the documents, but they're floating around. I first read about the breach on the New York Times "Bits" blog.

This seems as good a time as any to remind everyone about choosing and managing passwords wisely. The New York Times' Gadgetwise blog has a helpful post up today along those lines. Snip:

The lesson Twitter employees are learning the hard way is a lesson for us all. If you use cloud services for personal or work purposes, you need to:

* Use strong passwords
* Use a different password for each of your accounts
* Pick tough security questions
* Keep your passwords and answers to security questions to yourself.

If you use Gmail, here are tips on how to keep your account secure. There are also instructions on securely retrieving a forgotten password with a text message to your phone.)

If you find it difficult to remember multiple strong passwords, choose a secure way to store them.

Twitter Gets Hacked. Can It Happen to You? (NYT Gadgetwise)

Related: Much debate online today about the ethics involved in publishing the ill-gotten docs. Here is a blog post at Information Week arguing that this reflects recklessness, and here are two blog posts which defend the notion that this is a protected right (my linking these should not be interpreted as a personal blessing, I'm thinking all of it through, too): copyrightsandcampaigns, and

Here is Twitter co-founder Biz Stone's blog post about the data theft:

About a month ago, an administrative employee here at Twitter was targeted and her personal email account was hacked. From the personal account, we believe the hacker was able to gain information which allowed access to this employee's Google Apps account which contained Docs, Calendars, and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company. Since then, we have performed a security audit and reminded everyone of the importance of personal security guidelines.

This attack had nothing to do with any vulnerability in Google Apps which we continue to use. This is more about Twitter being in enough of a spotlight that folks who work here can become targets. In fact, around the same time, Evan's wife's personal email was hacked and from there, the hacker was able to gain access to some of Evan's personal accounts such as Amazon and PayPal but not email. This isn't about any flaw in web apps, it speaks to the importance of following good personal security guidelines such as choosing strong passwords.

And, a question many are asking: will Twitter sue the blog that published a number of these documents today?


  1. Strong passwords and password/pattern reuse should have no bearing on the sensitivity of the contents of any properly implemented web site authentication database, because that information should always be salted (combined with a random value) and hashed (reduced to a digital signature), and never stored in the clear. A hacker gaining access to the database would then have no way of utilizing any authentication information on any other web site or system.

    – Michael

  2. LOL. Passwords are inherently insecure (just like social security numbers). Online financial transactions should require a crypto key device (such as the RSA keyfob) or a one-time pad (printed on the back of monthly statements).

    Maybe the increasing frequency of high-level cracked accounts will finally spark someone to implement a real security mechanism for online services.

  3. It’s not the passwords that were the problem. It was the “forgot your password” secret question, which is usually quite easily guessable by anyone who knows even the tiniest bit of personal information.

    I hate it how so many websites have this “feature”, which is typically a mandatory field of the sign-in process and is a gaping security hole. Even worse are the ones that don’t let you specify your own question and put in things like “mother’s maiden name”, “place of birth”, “first pet” etc, which any other family member or close friend would easily know. Personally I always just fill this field in with a long string of random keypresses that I will never be able to re-type, and no-one will ever be able to guess.

  4. @Dorothy

    I don’t have much on an answer for you, but I applaud the use of stanzas in your comment.

    Nice job.

  5. Many banks in the UK now issue these little card reader RAS devices (like little calculators) you have to use for any but the most basic online transactions. First Barclays, now Smile, probably more. Assumed this was a global roll-out… Surely to become so.

  6. #3: “It’s not the passwords that were the problem. It was the “forgot your password” secret question, which is usually quite easily guessable by anyone who knows even the tiniest bit of personal information.”

    I’ve never answered one of these “security” questions straight. My first pet’s name is always something like “oijf8938LKJd89qoidj*(Fokf”, and I store this info, securely, the same way I store my password.

    However, this is something people need to learn. My first password, in the mid-80s, was “password”. I thought I was so clever, until I stumbled across an article by a system administrator who found that 40% of her users used “password” as their password. That was the beginning of my education in online security.

    “Here oijf8938LKJd89qoidj*(Fokf! Sit oijf8938LKJd89qoidj*(Fokf! What a good boy!”

  7. there is a recent bruce schneier article about passwords. here’s my thoughts about this issue:

    1. brute force guessing of passwords that are not dictionary words is virtually impossible somewhere between 6 and 8 characters long (assuming alphanumeric that’s 8^36 permutations) within a reasonable amount of time and definitely not possible with a sensible lockout policy after a small number of failures.

    2. most of the time passwords are stolen by trojan keyloggers and the like, and social engineering attacks, which phishing is a more sophisticated form of.

    3. keyloggers can be got around by using onscreen clickable password input systems, very few trojan keyloggers can log mouse clicks and locations and a well designed input system can further obfuscate this by randomising the location of the keys.

    4. biggest problem with password security is websites that don’t use hashed and salted passwords generated user-side and transmitted thusly obfuscated. this opens users up to the risk of hackers harvesting user logins.

    my personal opinion on this topic is that there needs to be formed an international authority on online security which gathers, defines and certifies online security best practise. i nominate, for one, bruce schneier to sit on the board. and i am putting my hand up to vote for my country (australia) to join and adhere and enforce it’s policies (it’s a problem that needs to be addressed on all levels of the system, user and service provider side and within academia where programmers are taught networked application coding).

  8. Last week I signed up for 4 different forums just to see if anything interesting was written in them. All in all I think I have about 20 accounts on online forums and services at the moment. Sometimes I start to register to a forum and it turns out that I signed up last year and forgot about it.

    I can’t imagine actually using different usernames and passwords for all of them, I’d never be able to keep track. I wish there was some single system I could trust to verify that I am the same person without building up another database on all my online activities.

  9. what i want to know is:

    WHY would ANYONE, let alone a corporation, use google docs for sharing/collaboration of private information?

    google, by their TOS have access to ALL the verbiage therein. that’s how they make money.
    maybe i’m wrong about docs and that only applies to gmail/calendar?
    if i were google, the temptation to see what twitter has planned might be all too alluring.

    i really need to get the gmail monkey off my back.

  10. Regarding the issues of posting the docs… if that is improper, then so is the practice of low-brow newspapers publishing scurrilous and embarrasing dirt that they find on ‘celebrities’.

    I’m not arguing for or against: just that if one is made unlawful, then the other should be to. Viz France’s very strong privacy laws.

  11. Yeah, sure, we’re all going to have strong unique passwords for each one of our six thousand random accounts with different password requirements and expiration intervals without writing them down or otherwise storing them somewhere. This model simply does not work for anyone who hasn’t got photographic memory. I’ve settled on a low-security password that I commonly use for non-sensitive sites, and several high-security ones for financial and medical stuff.

    The problem now is a sort of arms race by IT departments to require longer passwords with more special characters and shorter expiration intervals. How many people are going to commit a 15-character password with multiple special characters that expires every 45 days to memory, and who is going to write it on a sticky or keep it in a spreadsheet? It looks good to management, but it isn’t secure because of the way you’re forcing users into workarounds.

  12. Isn’t is also a bad idea for Twitter to be using Google Apps in the first place? Posting sensitive information on a potential competitor’s website isn’t usually a good idea. I know Google Apps isn’t supposed to “peek”, but still. At this point, can’t Twitter afford Open Office.

  13. DON’T remember passwords. Remember a FORMULA for your passwords. For example:

    First letter of site, capitalized + favorite food + dogs’s name + some number
    (No this is not my formula, sorry)

    If you do this, you can have a unique password for every site, yet you only need to remember one thing.

  14. There are multiple problems here.

    First, these aren’t just average Joe’s — these are employees of a high-profile company. High-profile means they will be directly targeted by people who wish to get inside Twitter. Using a stronger password might keep script kiddies from accessing your bank account, but it won’t keep a determined attacker from finding a way in.

    The failures start with the “secret question”. The question isn’t a secret and, most of the time, neither is the answer. Almost every question ever used could be looked up in public records. Most of the time, different websites use the exact same questions.

    This leads to another problem: common credentials. Crack the password to your x-forum account, and they also know the password to your email, Twitter, Google, and hundreds of other websites, because most people use the same login name and password across sites.

    This is compounded by timeliness. A password is “something you know”, which means once somebody else knows it, they also have complete control. The only way to stop them is to change the password — if they don’t do it first. Until you change it, they can walk in any time they like. Knowledge is a fluid thing — it can be read or overheard, captured, and distributed infinitely. A single leak of that password is all that is needed to compromise your account. That’s where two-factor authentication comes in: it’s a lot harder to get a hold of something physical, like the keyfob on your keyring, and it’s exponentially more difficult to get that and your password both at the same time.

    The problem goes beyond the passwords themselves. Even the best password in the world can be grabbed by a keylogger or pillaged from a poorly-designed database. Even salting and hashing can only do so much — offline brute-force of large database, using rainbow tables and cheap distributed computing, can yield a password within minutes. How says you even need to break in through the front door? Many websites are built in shaky ground, with plenty of well-known exploits that making accessing administrative services trivial. All the up front security in the world doesn’t matter when your website is running on IIS on an old, unpatched Windows 2000 box.

    Security is hard because: a) the attacker(s) always have more motivation and resources than you do, and b) the attacker only has to overcome the weakest link.

    I’m not saying it’s impossible to make yourself more secure, but anybody who thinks you can be “secure” (in the sense that you are impervious to attack) is kidding themselves. Security is about mitigating and reducing risk, not eliminating it. Security breaches will always happen.

Comments are closed.