Hacker gets access to sensitive Twitter documents through employee's e-mail

The San Francisco-based company, Twitter Inc. for the third time this year fell a victim to a security breach stemming from a simple end-run around its defenses. In the latest case, a hacker got the password for an employee's personal e-mail account and worked from there to steal confidential company documents. The techniques used by the attackers highlight the dangers of a broader trend promoted by Google Inc. and others toward storing more data online.

The hacker claims to have employee salaries and credit card numbers, resumes from job applicants, internal meeting reports and growth projections.

TechCrunch, a widely read technology blog, was e-mailed the documents, and subsequently published some of them, including financial projections that Twitter drew up in February. The forecast envisioned Twitter generating its first revenue in the current quarter, with sales of about $400,000 and about 60 employees. Besides, according to the documents published by TechCrunch, Twitter expected to employ about 345 people with annual revenue of about $140 million by the end of next year.

In addition, co-founder Biz Stone wrote in a blog posting Wednesday that the personal e-mail of an unnamed Twitter administrative employee was hacked about a month ago, and through that the hacker got access to the employee's Google Apps account. The stolen documents are sensitive enough that their public release could jeopardize relationships with Twitter's partners. Stone also added that the company is talking to lawyers about "what this theft means for Twitter, the hacker, and anyone who accepts and subsequently shares or publishes these stolen documents."

The attacks on Twitter show that Web sites don't need to get compromised in the traditional sense to put its users and employees at risk. Hackers don't need to find a vulnerability in the site itself, or plant a virus on an employee's computer, to sneak inside. All they need to find is an employee who uses weak passwords for e-mail accounts, or has security questions that are easy to answer with a little information about the person. Thus, the lesson from Twitter's latest security troubles is an old one: Use strong passwords, which include some combination of letters and numbers, and for companies, be careful about how many accounts are linked to the same username and password combination.