Twitter, Even More Open Than We Wanted

Wednesday, 15 July 2009

About a month ago, an administrative employee here at Twitter was targeted and her personal email account was hacked. From the personal account, we believe the hacker was able to gain information which allowed access to this employee’s Google Apps account which contained Docs, Calendars, and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company. Since then, we have performed a security audit and reminded everyone of the importance of personal security guidelines.

This attack had nothing to do with any vulnerability in Google Apps which we continue to use. This is more about Twitter being in enough of a spotlight that folks who work here can become targets. In fact, around the same time, Evan’s wife’s personal email was hacked and from there, the hacker was able to gain access to some of Evan’s personal accounts such as Amazon and PayPal but not email. This isn’t about any flaw in web apps, it speaks to the importance of following good personal security guidelines such as choosing strong passwords.

Stolen Documents, Not Compromised Accounts

It’s important to note that the stolen documents which were downloaded and offered to various blogs and publications are not Twitter user accounts nor were any user accounts compromised (except for a screenshot of one person’s account and we contacted that person and recommended changing their password). This was not a hack on the Twitter service, it was a personal attack followed by the theft of private company documents.

We are in touch with our legal counsel about what this theft means for Twitter, the hacker, and anyone who accepts and subsequently shares or publishes these stolen documents. We’re not sure yet exactly what the implications are for folks who choose to get involved at this point but when we learn more and are able to share more, we will.

The ‘Underwear Drawer’ Analogy

We have a culture of sharing and communication within Twitter and these stolen documents represent a fraction of what we produce on a regular basis. Obviously, these docs are not polished or ready for prime time and they’re certainly not revealing some big, secret plan for taking over the world. As Peter Kafka put it, this is “akin to having your underwear drawer rifled: Embarrassing, but no one’s really going to be surprised about what’s in there.” That is an apt analogy.

Nevertheless, as they were never meant for public communication, publishing these documents publicly could jeopardize relationships with Twitter’s ongoing and potential partners. We’re doing our best to reach out to these folks and talk over any questions and concerns. However, our goal remains focusing on the most important business at hand—creating value for users and building the best possible Twitter service.