Twitter's security breach: a reminder to choose and use web passwords wisely.


Someone who goes by the name of "Hacker Croll" breached the cloud computing accounts of one or more Twitter employees, and obtained access to extremely sensitive personal and corporate documents. I won't link to the documents, but they're floating around. I first read about the breach on the New York Times "Bits" blog.

This seems as good a time as any to remind everyone about choosing and managing passwords wisely. The New York Times' Gadgetwise blog has a helpful post up today along those lines. Snip:

The lesson Twitter employees are learning the hard way is a lesson for us all. If you use cloud services for personal or work purposes, you need to:

* Use strong passwords
* Use a different password for each of your accounts
* Pick tough security questions
* Keep your passwords and answers to security questions to yourself.

If you use Gmail, here are tips on how to keep your account secure. There are also instructions on securely retrieving a forgotten password with a text message to your phone.)

If you find it difficult to remember multiple strong passwords, choose a secure way to store them.

Twitter Gets Hacked. Can It Happen to You? (NYT Gadgetwise)

Related: Much debate online today about the ethics involved in publishing the ill-gotten docs. Here is a blog post at Information Week arguing that this reflects recklessness, and here are two blog posts which defend the notion that this is a protected right (my linking these should not be interpreted as a personal blessing, I'm thinking all of it through, too): copyrightsandcampaigns, and

Here is Twitter co-founder Biz Stone's blog post about the data theft:

About a month ago, an administrative employee here at Twitter was targeted and her personal email account was hacked. From the personal account, we believe the hacker was able to gain information which allowed access to this employee's Google Apps account which contained Docs, Calendars, and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company. Since then, we have performed a security audit and reminded everyone of the importance of personal security guidelines.

This attack had nothing to do with any vulnerability in Google Apps which we continue to use. This is more about Twitter being in enough of a spotlight that folks who work here can become targets. In fact, around the same time, Evan's wife's personal email was hacked and from there, the hacker was able to gain access to some of Evan's personal accounts such as Amazon and PayPal but not email. This isn't about any flaw in web apps, it speaks to the importance of following good personal security guidelines such as choosing strong passwords.

And, a question many are asking: will Twitter sue the blog that published a number of these documents today?