By Harry McCracken | Monday, July 20, 2009 at 12:36 am
How did French data thief “Hacker Croll” break into accounts and swipe the 310 internal Twitter documents which he leaked to TechCrunch? TechCrunch’s Nik Cubrilovic has a long post explaining what happened–or at least what “Croll” says happened–in surprising detail. Even if you have serious issues with TechCrunch’s ongoing use of stolen documents–as I do–this story is worth a read.
Basically, “Croll” didn’t do anything particularly brilliant–and there were no chinks in Twitter’s security armor that aren’t pretty much universal. Mostly, he took advantage of (a) Twitter’s use of other Web-based services to run its business; (b) the fact that every organization has employees who use the same damn password for multiple accounts; and (c) password recovery systems that can make it absurdly easy to break into someone else’s account.
Companies aren’t going to stop using Web services, and if there’s a way to prevent employees from using the same password for disparate services from unrelated companies, I can’t think of it. The one aspect of security breaches such as the Twitter break-in that’s addressable is the lax state of password recovery. I’m worried it’ll stay lax, since the easier Web companies make it for users to get back lost passwords, the less costly it is from a customer service standpoint. But I dearly hope that Twitter’s embarrassment services as a wake-up call for the whole industry–one that’s about a decade overdue.