Twitter Hack Shows Security Weakness in the Cloud

Twitter is reporting details on a hack that leaked internal Twitter documents to news Web sites, including TechCrunch. The social-media superstar is exposing the root of the vulnerability that allowed an attacker into an administrative employee’s e-mail account.

“From the personal account, we believe the hacker was able to gain information which allowed access to this employee’s Google Apps account, which contained Docs, Calendars, and other Google apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details, and more within the company,” said Twitter cofounder Biz Stone.

Password Weakness

Stone was quick to note that the attack had nothing to do with any vulnerability in Google Apps and Twitter is still using the software. Rather, Stone blamed the attack on Twitter’s popularity. The attack is not about any flaw in Web apps, he stressed, but speaks to the importance of following personal-security guidelines such as choosing strong passwords.

Stone also stressed that the stolen documents downloaded and offered to various blogs and publications are not Twitter user accounts, nor were any user accounts compromised, save a screenshot of one person’s account. In that case, Twitter contacted the user and recommended a password change.

Albert Wenger, a partner at the venture-capital firm Union Square Venture and a Twitter investor, said the username/password scheme isn’t sufficient for authentication. He said this is especially true given password-reset mechanisms based on canned questions with easily guessed answers. He offered a solution to what he sees as a major problem.

Authentication Solutions

“Give users the option to secure with a second factor,” Wenger said, noting that entering a cell-phone number during registration could enable the second factor. “As you log in with username and password, you receive an SMS with a code that you need to enter also. This will admittedly slow things down a bit and might be…