The micro-blogging website's founder Biz Stone claimed that it was taking legal advice about what the ‘theft means for Twitter, the hacker, and anyone who accepts and subsequently shares or publishes these stolen documents'.
Stone pointed out that the attack had nothing to do with any vulnerability in Google Apps that it is continuing to use, and that the hack was ‘a personal attack followed by the theft of private company documents'.
The company claimed that an administrative employee was targeted about a month ago and her personal email account was hacked. From this the hacker was believed to have been able to gain information which allowed access to this employee's Google Apps account, which contained Docs, Calendars and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company.
Stone claimed that since then, it has performed a security audit and reminded everyone of the importance of personal security guidelines.
Stone said: “This attack had nothing to do with any vulnerability in Google Apps which we continue to use. This is more about Twitter being in enough of a spotlight that folks who work here can become targets. This isn't about any flaw in web apps, it speaks to the importance of following good personal security guidelines such as choosing strong passwords.”
It is believed a French hacker who goes by the moniker ‘Hacker Croll' illegally accessed the files online by guessing staff members' passwords. Some of the 310 pieces of material was published by the TechCrunch website.
TechCrunch editor and founder Michael Arrington claimed that he had consulted lawyers about the laws that cover trade secrets and the receipt of stolen goods. He wrote: “There is clearly an ethical line here that we don't want to cross, and the vast majority of these documents aren't going to be published, at least by us. But a few of the documents have so much news value that we think it's appropriate to publish them.”
Mark Fullbrook, UK and Ireland country manager for Cyber-Ark, said: “I find it amazing that a company such as Twitter still holds company sensitive information such as HR records on servers that can be accessed with a simple username and password, without any ability to audit who has access.
“The fact that this has come from the use of an administrator's account, further underlines our advice to utilise a digital vaulting solution to store and manage highly sensitive info whether that be a file or a privileged password.”
Amichai Shulman, CTO of Imperva, said: “This is a great lesson in cloud security. My guess is that once the hackers got hold of the email account they used the ‘recover password' feature of Google Apps to compromise the Google Apps account for that individual. Not that this could not have happened to a corporate account, but in order to compromise a corporate account you'd usually go through two authentication mechanisms (VPN and then internal network login).
"If you had a good data loss protection solution in place, you would prevent your business' sensitive documents from leaking. With a cloud service there is no one to ‘double check' the extraction of documents and other sensitive information.”