Twitter hacked, secrets to be revealed?

Claims of access to PayPal, Amazon, AT&T, MobileMe, Facebook, business Gmail accounts
  • Ian Paul (PC World (US online))
  • 16 July, 2009 02:34

Alleged internal documents and sensitive information from Twitter and its employees might be posted today on news sites and other Web outlets. The source of this information is a French hacker who goes by the name of Hacker Croll. The cybercriminal claims to have accessed personally sensitive information for several Twitter employees including personal accounts on PayPal, Amazon, AT&T, MobileMe, Facebook, business Gmail accounts, and the Web registrar account for, according to the French blog Korben.

Hacker Croll has also distributed some alleged internal documents to news sites and blogs, including a complete Twitter employee list and salary information; food preferences of Twitter employees; confidential contracts with companies such as Nokia, Samsung, Dell, AOL, Microsoft, and others; a contact list of notable Web and entertainment personalities; meeting reports; applicant resumes; and the original pitch for the infamous Twitter TV show.

After the news of the security breach became public, Twitter co-founder Evan Williams was contacted by TechCrunch to confirm the document theft. Williams reportedly confirmed that Twitter did suffer an attack several weeks ago, but the event was not related to the attack in April when a hacker gained access to several high-profile user accounts and Twitter's administrative functions. The April hack was also committed by a cybercriminal going by the name of Hacker Croll.

Williams told TC the company is familiar with the list of information Hacker Croll obtained, and countered some of the hacker's claims. The Twitter co-founder confirmed the hacker gained access to his wife's Gmail account -- where some of Williams's credit card information was stored -- as well as an administrative employee's Gmail account and a number of personal accounts of other Twitter employees. Williams says Hacker Croll did not gain access to William's Gmail account, and that Twitter has now taken further security measures to guard company property and internal documents.

Journalistic Dilemma

Things became more complicated when Hacker Croll e-mailed a compressed file of 310 alleged internal Twitter documents directly to TechCrunch. The blog says it spent some time reviewing the information, and intends to publish some of the documents they obtained over the course of the day on Wednesday.

TC founder Michael Arrington says the site will not publish any sensitive information such as pass codes or personally embarrassing information; however, TC will publish a variety of alleged documents including "financial projections, product plans and notes from executive strategy meetings," and the original pitch for Twitter's reality based television show.

"There is clearly an ethical line here that we don't want to cross," Arrington wrote in a blog post, "and the vast majority of these documents aren't going to be published, at least by us. But a few of the documents have so much news value that we think it's appropriate to publish them."

Ethics Fallout

Britain's Guardian newspaper reporting on this story said it would not link to TC stories about the Twitter hack for legal reasons. An online poll regarding the fate of the Twitter documents is also taking the temperature of Internet users. At the time of this writing, 56 percent of the 622 respondents were against TC releasing the documents, while 32 percent were in favor, and 12 percent didn't care.

Many tech blog readers are also opposed to TC's decision. Readers said it was unfair for TC to publish the documents because they were unjustly "stolen" from Twitter, and therefore the data is out of bounds for publication.

To defend TC's decision, Arrington paraphrases a comment from British newspaper magnate Lord Northcliffe who famously said, "News is what somebody somewhere wants to suppress; all the rest is advertising." The site is arguing that if information lands in a journalist's inbox it's fair game, no matter how the data was obtained. It's important to emphasize that TC has said it will not reprint any material that could compromise company security or potentially damage a person's safety or career by revealing sensitive information.

Should the Information be Posted?

The other issue is that news organizations are not in complete control of this alleged information, since Hacker Croll has the documents as well. If the anonymous hacker wanted to do so, he or she could easily publish this information to his or her own blog or Website. It's also possible this information is in the hands of Wikileaks, but that site is unlikely to publish the information since it deals only with information of "political, diplomatic or ethical significance."

If further news organizations obtain this information, they are likely to follow a similar path to TC or perhaps choose not to publish the information at all. So the issue may not be what TechCrunch, the Guardian, PC World, or other news outlets will do with the information, but what Hacker Croll will do.

That may turn out to be nothing, according to Korben, who posted an alleged quote from the hacker who claimed to have breached Twitter staff accounts to teach Twitter a lesson about security, and demonstrate how easily security questions and passwords can be broken. These claims of exposing security flaws are similar to boasts made by someone going by the name of Hacker Croll during the hack. At that time, the hacker claimed he or she was able to access Twitter's administrative accounts simply through "social engineering."

Webmail Security

Last year, University of Tennessee at Knoxville student David Kernell was arrested on charges he hacked into a Yahoo Mail account used by then-vice presidential candidate Sarah Palin. The e-mail messages obtained from the hack were eventually posted by Gawker, and were potentially damaging for Palin. Kernell's trial is set to begin on December 16.

The Palin account was hacked by using Yahoo's password recovery page, similar to the ploy Hacker Croll used earlier this year to gain access to Twitter user and administrative accounts via Yahoo Mail. That process seemed very simple, but what's strange about the hack of Twitter's Gmail accounts is that Google's security process is not as simple as Yahoo's allegedly was at the time of the Palin hack.

On the password recovery page, Google asks you for your username, and then requires you to enter a CAPTCHA. Then Google sends a link to the e-mail address you originally entered when you signed up for a Google account. If you don't have access to that account, Google will not allow you to access your account by answering your security question until 24 hours after you've received the security e-mail at your alternate account. Yahoo Mail currently uses a similar password recovery method.

It's not clear if this security measure was in place at the time Hacker Croll accessed the Gmail accounts associated with Twitter, but it does serve as a reminder that you must keep your information up to date and choose a security question that will be difficult for a hacker to figure out.

To change the secondary email associated with your Gmail account and take other security measures, visit your Google profile page.

Connect with Ian Paul on Twitter (@ianpaul).