By Harry McCracken | Wednesday, July 15, 2009 at 8:11 am
Well, this is embarrassing: A hacker who apparently broke into various online accounts associated with Twitter executives and employees has sent TechCrunch hundreds of documents he purloined, including everything from user-growth projections to staffers’ meal preferences. TechCrunch’s Michael Arrington says he’s going to publish the stuff that has a lot of news value.
I’m not that interested in sensitive Twitter documents, so the most interesting aspect of all this is how easily the hacker was apparently able to get into Twitter’s online accounts. Actually, he doesn’t appear to have done any true hacking–he was just able to determine or reset passwords at Gmail, AT&T, MobileMe, and elsewhere.
Observers are rightly saying that the pilfering is a potentially useful reminder of the risks associated with storing sensitive information on the Internet. And most specifically, it may show that some Web services’ password-recovery features are inherently dangerous. It’s possible that some Twitter employees chose passwords or password questions that were too easy to guess, but it’s also possible that they followed the advice and instructions at the services in question to the letter, and their accounts still weren’t safe.
When someone broke into Salma Hayek’s MobileMe account in April, I wrote that using easily-obtained information like a user’s birthday or the maiden name of his or her mother to protect an account is unacceptably risky. It’s alsodangerous to provide password recovery tools that let someone reset a password in one browser session, without having to access information sent by e-mail.
Even after the crummy publicity of Salma’s security breach, MobileMe is still suggesting to users that “What is my pet’s name?” is a reasonable secret question:
If you know (or can guess) a MobileMe user’s account name, birthday, and the answer to his or her secret question, you’re in.
Bottom line: It pays to be paranoid online, especially since some of the companies whose serves you may use are probably way too nonchalant. If a service asks for easy-to-find information, it’s not a bad idea to simply lie like a rug. Any fool can determine that your mom was a Benson, so why not decide that for the purposes of your online security, she was a McGillicuddy–and then never tell another living soul? Even when you can specify your own “Secret Question,” specifying an answer that’s wrong isn’t a bad safety measure.