Twitter Theft: It's Really All About Google

Includes: GOOG, MSFT, TWTR
by: Michael Eisenberg

Lost in the brouhaha Michael Arrington stirred up on Techcrunch about the ethics of posting to Techcrunch the documents stolen by a hacker from Twitter, is a most important nugget that Arrington brings out in the comments:

Michael Arrington (@arrington) - July 14th, 2009 at 11:22 pm PDT

the original security hole seems to be Google, via Google Apps for your Domain. Some passwords were guessed and things started to fall apart from there. Most (or all) of these documents were downloaded from Google’s servers.

A hacker breaks into Google's Apps for your domain and while Twitter thought they were secure and they had outsourced their security to Google, in reality they were exposed.

The bottom line is that many startups and an increasing number of large companies are using Google Apps for critical company documents. Most of them think that they are living securely. They are not. This happens in the evolution of the software industry. Microsoft was impacted by viruses, and their software is notoriously buggy and often not secure on release. This is a risk for Google going forward and an interesting nod that cloud security companies are needed.

One last word: As you move your company to cloud apps, it would be wise of these companies to check into security procedures and see if they can augment their security in some way. Additionally, document storage policies need to be examined on an ongoing basis.

Update: I received this note from Andrew Covacs at Google's corporate communications group.

Great, thanks for the reply. Have you seen Biz's post here?

He clarifies:
This attack had nothing to do with any vulnerability in Google Apps which we continue to use....This isn't about any flaw in web apps, it speaks to the importance of following good personal security guidelines,
such as choosing strong passwords.