Someone Call Security

Thursday, 16 July 2009

Early yesterday, we were contacted by two blog journalists who had just been offered internal business documents stolen from Twitter by a hacker.

First, it’s important to note how these documents were stolen. In this case, a Twitter employee used the same non-unique password on multiple services. A hacker gained access to our business documents because this common password was retrievable on an unrelated system. If you’ve ever used the same password on more than one service, you’ve made the same mistake that lead to this theft—it’s a web wide issue. Random password generators as well as two-factor authentication for more sensitive systems are now mandatory at Twitter, Inc.

Twitter is more than jotted-down notes from a handful of meetings. Our future will be shaped by the passion and inventiveness of everyone who uses Twitter and through the execution of our ideas. Nevertheless, the publication of stolen documents is irresponsible and we absolutely did not give permission for these documents to be shared. Out of context, rudimentary notes of internal discussions will be misinterpreted by current and future partners jeopardizing our business relationships.

We are pursuing a path to address the harm caused by these actions and as noted yesterday, we’ve already reached out to the partners and individuals affected.