Hugely popular micro-blogging site Twitter is taking legal advice after a hacker stole hundreds of sensitive documents and published them online.
The documents, which included financial projections and product information, were stored in Google’s cloud-based Apps platform. The hacker accessed the Google Apps account of a Twitter employee after gaining access to the worker’s personal email account.
In a blog posting, Twitter co-founder Biz Stone, said: “About a month ago, an administrative employee here at Twitter was targeted and her personal email account was hacked. From the personal account, we believe the hacker was able to gain information which allowed access to this employee’s Google Apps account which contained Docs, Calendars and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company.”
The documents were then passed to technology blog TechCrunch, who published a selection of the documents.
Stone said that Twitter would be speaking to its lawyers about the theft. “We are in touch with our legal counsel about what this theft means for Twitter, the hacker and anyone who accepts or publishes these stolen documents,” he said.
TechCrunch defended its decision to publish some of the documents. “We publish confidential information almost every day on TechCrunch. This is stuff that is also “stolen,” usually leaked by an employee or someone else close to the company, and the company is very much opposed to its publication. In the past we’ve received comments that this is unethical. And it certainly was unethical, or at least illegal or tortious, for the person who gave us the information and violated confidentiality and/or nondisclosure agreements. But on our end, it’s simply news,” said founder Michael Arrington on the site.
Twitter is no stranger to security vulnerabilities. In May 2009 a French hacker claimed he accessed the account of a Twitter employee with administrative rights, enabling him to access accounts belonging to US president Barack Obama and singers Britney Spears and Lily Allen. Information such as email addresses, mobile phone numbers and information about other Twitter accounts that had been blocked by the user was compromised.
The site was struck by a malware attack over the 2009 Easter weekend, which resulted in Twitter identifying and deleting almost 10,000 tweets that could have continued to spread a worm.
The incident also raises questions about the ease with which the hacker was able to access the Twitter worker’s personal email address. Security firm Sophos recently revealed that one third of Internet users have the same password for multiple websites.
The firm found that 33% do not alter their password from one website to the next, while a further 48% claim to use a variety of different passwords. Just 19% said they never use the same password. Sophos conducted a similar survey three years ago and found then that 41% said they always use the same password and just 14% said they always used a different one.
