Security

Google Apps Security Questioned After Twitter Leak

Twitter uses Google Docs for information sharing. How do I know this? Well, it seems Twitter Inc. has had a pretty significant security breach which was brought on by a Twitter employee's Google Apps account being hacked. Have a look below at one of the screenshots the hacker has sent to various news sites.

According to Twitter founder Ev Williams:

"Yes, we did suffer an attack a few weeks ago and are familiar with this list of stuff. This is unrelated to the hack of Twitter where someone gained access to users' accounts. This had nothing to do with the security of Twitter.com, and there were no user accounts compromised here.

"Some notes:

"He did not actually gain access to my @ev Twitter account (or any Twitter accounts), nor any administrative functions of the site.

"There is also no evidence that he gained access to my email. There was one administrative employee whose email was compromised, as was my wife's Gmail account, which is where he got access to some of my credit cards and other information.

"He also successfully targeted a couple of other employees' personal accounts (Amazon, AT&T, Paypal…).

"In general, most of the sensitive information was personal, rather than company-related. Obviously, this was highly distressing to myself, my wife and other Twitter employees who were attacked. It was a good lesson for us that we are being targeted because we work for Twitter. We have taken extra steps to increase our security, but we know we can never be entirely comfortable with what we share via email."

That doesn't sound like a lot of trouble. But the documents coming out of the hacker seem to be pretty significant. The "problem" is that if you have a Google Apps email account compromised, you also have shared calendar, Docs, Contacts, Wikis(Sites), etc.

While it doesn't say exactly how the information was compromised, it seems the hacker knew the employee names and ran some brute force password guessing algorithms on the open accounts. One of the employees had a weak password and boom, everything is exposed.

This isn't to say that Google Apps has weak security. The security of Google Apps is what you make of it. This employee probably had a weak password. You have the ability to enforce strong passwords in the Admin control panel. The same access could have been gained from a compromised Microsoft Exchange account with access to public folders.

Ev mentioned that his wife's personal Gmail account had been compromised as well but nothing Twitter.com related had been hacked.

If nothing else, this should remind Google Apps admins to make sure their users use strong passwords on their accounts.

Subscribe to the Security Watch Newsletter

Comments