At first it seemed that the hacking of Twitter in which some 300+ documents were stolen, could be blamed for by lax security in the cloud. Twitter was storing their sensitive data using Google apps., and it seemed that Google was to blame for the theft. But as more information is coming to light, it seems that the folks at Twitter are responsible, and not Google.
According to a recent post by TechCrunch which had received the stolen documents from the hacker, they stated the following advice to Twitter owners and employees:
Twitter co-founder Biz Stone, responding to our email, said “this bug allowed access to the search product interface only. No personally identifiable user information is accessible on that site.” Although no user accounts were compromised or accessible, the vulnerability speaks to a greater culture of lax security at the startup, and may be indicative of how earlier breaches possibly occurred.
With that in mind, we have some friendly advice for Twitter. For instance, it would be wise if in the future Twitter insiders do not use the password “password” for the back ends of its systems or one of its co-founder’s names (Jack) as a username.
Why do we think this advice could prove helpful? Well without taking this type of precaution, before you know it malicious hackers or just plain mean people who have it in for you could do some serious damage and/or embarrass you in front of all your friends and followers by invading your personal digital territory.
Again, for the record, this has absolutely nothing to do with the other security breach we’re publishing ongoing reports about and which Twitter has already publicly responded to. We notified Twitter about this breach as well, and waited until they took action to close it off before posting.
Over at the Google Security Blog they state:
There’s been some discussion today about the security of online accounts, so we wanted to share our perspective. These are topics that we take very seriously because we know how important they are to our users. We run our own business on Google Apps, and we’re highly invested in providing a high level of security in our products. While we can’t discuss individual user or customer cases, we thought we’d try to clear up any confusion by taking some time to explain how account recovery works with various types of Google accounts and by revisiting some tips on how users can help keep their account data secure.
You can read how Google handles password recovery for different accounts at the Google link below.
But what the real story here is not that Twitter was hacked, but how weak passwords may have contributed to the hacker’s success. Using common words like ‘password’ as the password is just plain dumb. This should be a wake up call for all of us to increase our password security for all accounts that we use.
What do you think?