SAN FRANCISCO: Breaking into someone’s e-mail can be child’s play for a determined hacker, as Twitter Inc employees have learned the hard way — one more time.

For the third time this year, the San Francisco-based company was the victim of a security breach stemming from a simple end-run around its defenses.

In the latest case, a hacker got the password for an employee’s personal e-mail account — possibly by guessing or by correctly answering a security question — and worked from there to steal confidential company documents.

The techniques used by the attackers highlight the dangers of a broader trend promoted by Google Inc and others toward storing more data online, instead of on computers under your control.

The shift toward doing more over the Web — a practice known as “cloud computing” — means that mistakes employees make in their private lives can do serious damage to their employers, because a single e-mail account can tie the two worlds together.

Stealing the password for someone’s Gmail account, for example, not only gives the hacker access to that person’s personal e-mail, but also to any other Google applications they might use for work, like those used to create spreadsheets or presentations.

That’s apparently what happened to Twitter, which shares confidential data within the company through the Google Apps package that incorporates e-mail, wordprocessing, spreadsheet, calendar and other Google services for US$50 (RM180) per user per year.

Targeted

Co-founder Biz Stone wrote in a blog posting on Wednesday that the personal e-mail of an unnamed Twitter administrative employee was hacked about a month ago, and through that the attacker got access to the employee’s Google Apps account.

Separately, the wife of co-founder Evan Williams also had her personal e-mail hacked around the same time, Stone wrote. Through that, the attacker got access to Williams’ personal Amazon and PayPal accounts.

Stone said the attacks are “about Twitter being in enough of a spotlight that folks who work here can become targets.”

Some of the material the hacker posted online from the Google Apps documents was more embarrassing than damaging, like floor plans for new office space and a pitch for a TV show about the increasingly popular online messaging service.

Twitter says only one user account was potentially compromised because a screenshot of the account was included among the stolen documents. The value in hijacking a user’s account is limited, as those attacks are mainly used to post fake messages and try to trick the victim’s friends into clicking on links that will infect their computers.

Sensitive Twitter documents were filched, though. The hacker claims to have employee salaries and credit card numbers, resumes from job applicants, internal meeting reports and growth projections.

TechCrunch, a widely read technology blog, said it was e-mailed the documents and subsequently published some of them, including financial projections that Twitter drew up in February.

The forecast envisioned Twitter generating its first revenue in the current quarter, with sales of about US$400,000 (RM1.44mil) and about 60 employees. By the end of next year, Twitter expected to employ about 345 people with annual revenue of about US$140mil (RM504mil), according to the documents published by TechCrunch.

Stone said in an e-mail that most of the documents TechCrunch has access to are “speculative exercises.”

Lawyers called in

In his blog post, Stone said the stolen documents “are not polished or ready for prime time and they’re certainly not revealing some big, secret plan for taking over the world,” but said they are sensitive enough that their public release could jeopardise relationships with Twitter’s partners.

Stone said the company is talking to lawyers about “what this theft means for Twitter, the hacker, and anyone who accepts and subsequently shares or publishes these stolen documents.”

What the attacks on Twitter show is that websites don’t need to get compromised in the traditional sense to put its users and employees at risk.

Hackers don’t need to find a vulnerability in the site itself, or plant a virus on an employee’s computer, to sneak inside.

The easier approach is much more low-tech: All they need to find is an employee who uses weak passwords for his or her e-mail accounts, or has security questions that are easy to answer with a little information about the person.

It’s an old strategy that’s becoming more and more valuable as people’s personal and work lives merge online.

It can be trivial to guess someone’s passwords, as former vice-presidential candidate Sarah Palin found out during the election, when her personal e-mail was hacked and screenshots were posted online.

That attacker sneaked in by accurately guessing the answer’s to Palin’s security questions, based on information about her and her family that was already online.

Password-guessing programs are also a common hacking tool. An attacker runs the program against an account, and if it’s allowed to try lots of times and the password isn’t very complicated, the hacker’s in.

Not new

Twitter was hit twice before this year in similar incidents.

In an attack against Twitter in January, a Twitter support staffer’s account was compromised using a password-guessing-program.

The hacker got administrative access to the site. The Twitter feeds for Barack Obama, Britney Spears and other celebrities were used to send out bogus messages. A similar attack happened in May.

The attacks on Twitter serve as a reminder of why many corporations are reluctant to jump on the cloud-computing bandwagon. Outsourcing sensitive jobs can save money but also open up companies to more risk because their data isn’t entirely under their control.

Another trend online is for web-based services to streamline access by letting users log into each others’ sites with the same usernames and passwords. Facebook and other services have begun to do this, raising possible security risks.

The lesson from Twitter’s latest security troubles is an old one: Use strong passwords, which include some combination of letters and numbers, and for companies, be careful about how many accounts are linked to the same username and password combination. — AP

“This is simply Twitterrific!“

201 Twitter Tools and Twitter Apps, Known or Unknown, Jam Packin this exclusive +100 pages FREE Report. Download by clicking the Book below..

This Incredible “THE DEFINITIVE TWITTER RESOURCE GUIDE” is yours for FREE

The “Definitive Twitter Resource Guide” is a free e-book containing 201 Twitter Tools to empower you to more effectively manage your Twitter stream, followers and those you are following. The guide has been created by Stephen Pierce, author of “Make Real Money on The Internet,” which is said to be the most powerful money making manual for the internet. You can obtain a free copy of Stephen’s book by clicking here: Make Real Money on The Internet

The “Definitive Twitter Resource Guide” is divided by categories and includes: applications, ad networks, analytics, badges & widgets, Twitter for business, follow management, file sharing, finance, media, multi-account management, printing, posting & alerts, search engines, travel, trend and others.

The guide provides a very logical layout that includes hop links for each resource highlighted and rated in the guide. I was aware of a few of the resources featured and have used a couple such as Tweet Deck; however, the vast majority of these resources were new to me as Twitter is a rapidly evolving tool to leverage social media to become a powerful part of my overall traffic strategy.

FowNews.com

A hacker going by the name of “Hacker Croll” has apparently gained access to an administrator account at the micro-blogging service Twitter.

Posting on a French online discussion forum, Hacker Croll claimed to have hacked into the account of Jason Goldman, one of Twitter’s directors of product management. To back up the claims, he or she posted 13 screenshots of Twitter’s account management interface.

The screenshots suggest that the hacker was able to access the accounts of several celebrity Twitter users, including those of the singer Britney Spears and the actor Ashton Kutcher.

Late on Thursday evening, Twitter co-founder Biz Stone made the following statement on the site’s official blog.

“This week, unauthorized access to Twitter was gained by an outside party. Our initial security reviews and investigations indicate that no account information was altered or removed in any way. However, we discovered that 10 individual accounts were viewed during this unauthorized access.”

Obama’s, Britney Spears’ Twitter Accounts Hacked

Hackers have accessed the accounts of a series of celebrities on the popular micro-blogging Web site Twitter and left a variety of pornographic and dubious messages and links.

In the most serious breach of security for the burgeoning blogging site, beloved of the tech community, hackers have targeted more than 30 accounts including those belonging to Britney Spears, Barack Obama, Facebook, CNN anchor Rick Sanchez and the Huffington Post.

[Fox News Channel's Twitter account was also hacked with a message regarding commentator Bill O'Reilly.]

Twitter users post short updates — of less than 140 characters — on their accounts which can be followed by other users. The site has rapidly gained popularity since its launch in April last year.

Increasingly celebrities have signed up as a way of connecting with their fans, and many news outlets use Twitter to alert people to new stories posted on their Web sites.

The hackers found a way to take over the online tools used by Twitter’s support team to post the false updates or tweets, Twitter said in a blog posting.

During the security breach, Britney Spears falsely posted about the size of her genitals, Barack Obama (who has not used Twitter since his election victory) posted a link to a poll with the prize of winning free gasoline, Rick Sanchez said he was not coming into the office because he was high on crack cocaine and Facebook listed a link to a pornography site.

All the false postings have now been taken down and the accounts returned to the rightful owners, Twitter said

NEW YORK (CNN) — Someone opened a can of worms on popular microblogging service Twitter this weekend, a company co-founder says, and a 17-year-old told an online tech news network that he was that someone.

Virus-infected tweets assaulted Twitter, the microblogging site, in four waves last weekend.

In a post on Twitter’s official blog, company co-founder Biz Stone said computer worms had spread virus-infected tweets that assaulted Twitter in four waves from Saturday morning through Sunday night.

The company deleted some 10,000 infected tweets from at least 190 compromised accounts that could have continued to propagate the virus, he said.

Michael Mooney, a 17-year-old high school senior whose hacker handle is Mikeyy, claimed to be the creator and disseminator of the worms.

In an interview with CNET News, Mooney said that he embarked on the weekend hacking spree because he “was bored.”

Some of the rogue tweets directed users to StalkDaily.com, a Twitter-like messaging service created by Mooney. The worm also caused infected accounts to repost tweets that Mooney appeared to have written.

A few Twitter users took to their Twitter pages to vent their frustration with the high jinks. “This little worm needs to have his little bubble burst,” wrote user JWMcGregor.

But other Twitterers were less concerned.

“There are risks associated with all methods of news gathering and communication,” said CNN’s own prolific Twitter scribe Rick Sanchez, who added that Twitter’s advantages “outweigh the types of minor annoyances we’ve seen recently.”

Stone said that Twitter is taking steps to make sure this weekend’s worm onslaught is Twitter’s last such security breach.

“We’ll be reviewing our Web coding practices to make sure something like this won’t happen again,” he said, emphasizing that “no passwords, phone numbers, or other sensitive information was compromised as part of these attacks.”

Stone declined to comment on whether Twitter will file charges against Mooney.