Twitter hacked... again

For the third time this year, the San Francisco-based company was the victim of a security breach stemming from a simple end-run around its defences.

In the latest case, a hacker got the password for an employee's personal e-mail account - possibly by guessing, or by correctly answering a security question - and worked from there to steal confidential company documents.

The techniques used by the attackers highlight the dangers of a broader trend promoted by Google and others toward storing more data online, instead of on computers under your control.

The shift toward doing more over the web - a practice known as "cloud computing" - means that mistakes employees make in their private lives can do serious damage to their employers, because a single e-mail account can tie the two worlds together.

Access to other applications

Stealing the password for someone's Gmail account, for example, not only gives the hacker access to that person's personal e-mail, but also to any other Google applications they might use for work, like those used to create spreadsheets or presentations.

That's apparently what happened to Twitter, which shares confidential data within the company through the Google Apps package that incorporates e-mail, word processing, spreadsheet, calendar and other Google services for $50 per user per year.

Co-founder Biz Stone wrote in a blog posting on Wednesday that the personal e-mail of an unnamed Twitter administrative employee was hacked about a month ago, and through that the attacker got access to the employee's Google Apps account.

Separately, the wife of co-founder Evan Williams also had her personal e-mail hacked around the same time, Stone wrote. Through that, the attacker got access to Williams' personal Amazon and PayPal accounts.

Stone said the attacks are "about Twitter being in enough of a spotlight that folks who work here can become targets".

More embarrassing than damaging

Some of the material the hacker posted online from the Google Apps documents was more embarrassing than damaging, like floor plans for new office space and a pitch for a TV show about the increasingly popular online messaging service.

Twitter says only one user account was potentially compromised because a screenshot of the account was included among the stolen documents.

The value in hijacking a user's account is limited, as those attacks are mainly used to post fake messages and try to trick the victim's friends into clicking on links that will infect their computers.

Sensitive Twitter documents were filched, though.

The hacker claims to have employee salaries and credit card numbers, resumes from job applicants, internal meeting reports and growth projections.

TechCrunch, a widely read technology blog, says it was e-mailed the documents, and subsequently published some of them, including financial projections that Twitter drew up in February.

The forecast envisioned Twitter generating its first revenue in the current quarter, with sales of about $400 000 and about 60 employees. By the end of next year, Twitter expected to employ about 345 people with annual revenue of about $140 million, according to the documents published by TechCrunch.

Twitter was hit twice before this year in similar incidents.

In an attack against Twitter in January, a Twitter support staffer's account was compromised using a password-guessing-program.

The hacker got administrative access to the site. The Twitter feeds for Barack Obama, Britney Spears and other celebrities were used to send out bogus messages. A similar attack happened in May.

The attacks on Twitter serve as a reminder of why many corporations are reluctant to jump on the cloud computing bandwagon. Outsourcing sensitive jobs can save money but also open up companies to more risk, because their data aren't entirely under their control.