I don't know about twitter itself, but individual users might find this helpful. http://www.passwordmeter.com/ Try until you get 100% then you will have a practically uncrackable password.
Andrew
· 4 months ago
This password tool gives a false sense of security. By defining rules such as "consecutive lower case characters", you reduce the possible set of combinations significantly. If you follow those rules, you end up with a very small set of possible combinations compared with the available set.
9swords
· 4 months ago
This type of strong password properly protects you against a "dictionary attack" which is what was used to successfully hack the accounts. I feel safe using twitter, i even wrote one of the first tutorials on how to completely remove the "Stalk Daily" or "Mikeyy" malicious javascript from your twitter account. These types of attacks which are internal, through scripts, that can spread to other accounts. Those are a far bigger problem, security wise.
Stan_Schroeder
· 4 months ago
It's not entirely on topic, but when it comes to passwords, it's simple. Take a random string of chars and numbers - fgd43f2s - and it's uncrackable except via brute force. Of course, if there are other vulnerabilities in the system - a good example is WEP's awful implementation, where the strength of your password is completely irrelevant - a good password won't save you. But there's no big philosophy to it. And yes: do not use the same password for different services, especially important ones such as PayPal.
Stan_Schroeder
· 4 months ago
BTW, I just changed my Twitter password to a different one. Just in case (;
Anuj Seth - Twitdom
· 4 months ago
Moving 100% to OAuth for 3rd party apps is one way to block of security issues arising due to 3rd party apps. When will they make it mandatory to use OAuth?
Me
· 4 months ago
Well, don’t you give the 3rd application / service / company full read-write permission to your account using OAuth?
I don't really see a difference... ok the account cannot get hijacked... but at least people could post and delete (your) Twitter messages... for me... no difference.
jonas
· 4 months ago
I got crabs from twitter.com/filthyrichmond
sultanofseo
· 4 months ago
the article suggests that images of paypal, amazon etc account were leaked out. But I don't quite get the correlation between paypal, amazon and twitter. To my knowledge none of those services integrate with twitter - so why would that info leak out - and by pictures I assume you mean that someone took screengrabs of evan williams account.
I'm not familiar with who evan williams is, so it would have been nice of you to include who that was - is he celebrity, does he work at twitter? Also clarification of how they got the info - I mean you go into detail about someone gaining access to the accounts but you never quite say whether it was through a 3rd party sevice like twitpic or through twitter itself?
Chris
· 4 months ago
Evan is the CEO of Twitter.
dumbfounder
· 4 months ago
It's a lot better than letting your username/password out, and it also requires two separate hacks if you have Oauth: they need your secret key and pass key for the web app, and then the individual's user specific secret key and pass key (or whatever the terminology is, I forget). If you store those things in two different places it makes it much harder for the hacker to get actionable data. (yes, Twicsy uses Oauth, and yes we store the keys in different places)
jsinkeywest
· 4 months ago
I know YOU :) but do people realize just how cool your site is ? http://searchles.com :) I talked with you along time ago can called to ask about DO FOLLOW on your site :)
Dan
· 4 months ago
What exactly does having access to a paypal account have to do with Twitter security? Are you suggesting he uses the same password and that his password was discovered, or tjatthe accounts are somehow linked?
Stan_Schroeder
· 4 months ago
The former is possible, but I'm not suggesting it, as I don't know. My point is that Twitter, as a company, needs to start implementing better security practices, left to right, top to bottom.
dan
· 4 months ago
After reading further elsewhere on this issue, I'm very disappointed in Mashable. This is inflammatory and misleading, and frankly the kind of thing I'd expect to see on TechCrunch.
The title and content of this article imply to the casual user (and all of those who see the tweets and retweets) that their twitter account is a security risk, and a massive security risk when it involves Paypal. The "security issue" that allowed access to Twitter staff's paypal account was that their gmail account was hacked (and once you have email access, you can "forgot password" anywhere). Gmail account hacking had absolutely nothing (that I can see) todo with Twitter the webapp security. If anything that is a Gmail security issue, or a password complexity issue.
Now, that internal documents from Twitter were hacked and stolen is a Twitter THE COMPANY security issue, but it does not have anything to do with Twitter THE WEBAPP and certainly does not have anything to do with end users and their paypal accounts.
Shame on you Mashable.
Stan_Schroeder
· 4 months ago
To put it as simply as possible, I haven't written or implied what you're saying here.
What I have done in this article is point out to the various security issues that have plagued Twitter over the past months, and I've made sure to be very clear that these include several different types of problems - actual hacking of user accounts, Twitter employees' personal accounts being hacked, and (possibly) Twitter administrator area being accessed by a hacker.
Now, I've looked over the entire article and I do not see a trace of evidence to what you're suggesting. It's very clearly said that this latest incident has to do with Evan Williams' personal accounts.
However, I believe you are wrong when you say that it "does not have anything to do with Twitter THE WEBAPP." This is exactly the point of this article: the series of security incidents related to (various aspects of) Twitter shows that Twitter hasn't given enough thought or made a good enough effort when it comes to security - overall. Even if security of Twitter the web app is rock solid, the perception of it will be bad if incidents like these continue. I'm merely hoping they will raise the bar and improve their track record when it comes to security, that's all.
Now, you do raise a good point: a casual user seeing a retweet (or a retweet of a retweet) might get the wrong idea. For example, if someone links to this article in a tweet, saying something like "Twitter hacked!, EV's PayPal acc exposed" then yes, someone could get the wrong idea. But I don't see how I can prevent that - I've done all I can to word the article carefully so that someone doesn't misunderstand it, but I cannot control what people say in tweets and retweets.
Stan_Schroeder
· 4 months ago
@Alex: I understand your point of view. However, it's sometimes hard to please everyone. Even casual Mashable readers, or people who follow what's happening in or around Twitter casually are aware that certain celebrity Twitter accounts got hacked or compromised on several occasions. We've also posted about the Twitter admin panel images back in April, which were a good - if not certain - indication that one of Twitter's admin accounts have been compromised. And now the same hacker and the same French blogs that posted those images in April posted many more documents, which are supposedly (but then again, not certainly) coming from Evan Williams' (Twitter co-founder, added clarification in the text) various personal accounts, but have a lot to do with Twitter; in short, they're confidential company documents, some of which potentially very harmful.
So, this article takes this latest security issue, and ties it into the obvious pattern of security problems that have been pestering Twitter in the past couple of months. You and Dan are acting as if this is the only security-related incident that happened to Twitter. It is not.
Chris
· 4 months ago
agreed
dan
· 4 months ago
[actually, i take back the TC dig. they reported much more honestly about this story.]
Gustavo Munoz
· 4 months ago
The problem is the casual user doesn't know who Evan Williams is. Therefore the statement "This same site (link omitted on purpose) now holds images from various personal accounts of Evan Williams, including PayPal, Amazon, Gmail and MobileMe." might drive the casual reader to think on lines like: "ok, if that poor guy (Evan) got compromised his personal information and it is related with this security problem within Twitter, and I use Twitter, maybe I might be also a target for this kind of attack". Stan, I guess, next time you should clarify who the guys who you name in your articles are. First time I read your article I agreed it was impossible to understand what Dan were claiming, but after a while, I realized that it is impossible if you know Evan Williams is the CEO for Twitter, but if you don't know such thing (and there are millions of people who don't know such name and position), then casual readers can be mislead. However, your clarification in the bottom of the article happily solves this problem.
Alex
· 4 months ago
Gotta say I agree with Dan. Let's say, for example, you went to digg right now and saw the recent post (on the front page) that says:
<huge and bold>Twitter's Security Meltdown</huge and bold> <subhead>This is serious. Twitter has a big security problem.</subhead>
How many people do you think actually go through and read (and grok) the actual article?
How about: "Twitter head has personal accounts hacked"? "Twitter's CEO runs into security problems"?
As Dan pointed out, the premise of your article isn't even valid -- what does someone targeting Twitter employee personal accounts have to do with the security of Twitter the app? If someone sifted through Steve Jobs' garbage and found a layout plan of an Apple conference room would you stop using your iphone due to security flaws at the company?
tehinsider
· 4 months ago
The fact is that the hackers gained access to one of the Twitter personnel & hence to @ev's account where they managed to gain access to his gmail acc & then to his Amazon, Paypal, etc.
I agree, Twitter users should not be concerned with security on the site. You are quite safe, as I have found.
genieyclo
· 4 months ago
BS.
Wes Young
· 4 months ago
Great article Stan. I just started using Mashable and so far I really enjoy it. You guys are spot on in your commentary. Very interesting stuff. Keep it up.
Joe Dawson
· 4 months ago
Twitter have a rollercoaster service with so many highs and lows, they definitely need a security overhaul
Donagh Mc Sweeney
· 4 months ago
It's actually amazing how a company/service with so so many holes in the basic fundamental architecture has become the hottest online tool over such a short time. And these holes aren't just hidden in the background with security issues but are spread all over the site as you say. If any other website was so frequently crashing/crawling/lax then it would be soon abandoned by its users in search of something new. But not twitter.
In my opinion the only reason that Twitter has been able to avoid a mass exodus of users as a result of its problems is that is has built up such an enormous name for itself, not only online but offline. The ideology of Twitter was/is such a revolutionary idea that people are willing to overlook the blaringly obvious problems that exist with the service and simply accept them. They move on, they don't care, all they want to do is Tweet!
tFeeder
· 4 months ago
Twitter was never a true technology company. Building a site with Twitter's basic functionality is a weekend task for a small team of skilled developers. Nothing about Twitter's technology is innovative. That is oppose to Google, built by two brilliant engineers. Their thesis, which introduced the foundations of the Google search engine, is an amazing piece of technological foresight. The G. founders thought from day 1 about indexing a blillion documents, when the web was much smaller. Here's Brin and Page's thesis, read it! http://infolab.stanford.edu/~backrub/google.html
Google faced similar scalability, security and spamming issues over the years, but the underlying technology and brilliant engineers hired by Google made sure issues are handled properly.
Twitter was a side project of Odeo, a couple of years later, still behaves (from a technological view) as someone's side project. T. doesn't have technology in the company's DNA, and they will not be able to solve these issues anytime soon.
Bob
· 4 months ago
You are wrong in so many ways.
jose
· 4 months ago
not that I disagree...but you should probably name some instead of just saying "nuh-uh!!!".
jarrod
· 4 months ago
That right there is some amazing insight. Please sign me up for your newsletter.
Bios Element
· 4 months ago
This is hardly a surprise. I've always felt twitter was lax with the most basic things. *Returns to identi.ca*
mindsmack
· 4 months ago
they really need to make this a secure non spam environment.
Jim C.
· 4 months ago
Yes, they need to make it as secure as possible. Non spam? GOOD LUCK. Not gonna happen.
Been "yelling" about this for a while! Glad this crucial topic is now getting mainstream attention. Hacking, Spam and Identity Theft of a huge concen and if not fixed will kill Twitter! Without solid security and identity management it ceases to be relevant as sources cannot be validated. Just think of the last Amber Alert spoof yesterday and so many (ie: Goldblum death)before it. If sources cannot be trusted, messages will be ignored, Twitter will die.
Could Twitter be the next source for a "War of the Worlds" (1938 Orson Wells Radio Program) but intentional, not accidental? Think about it.
People Search
· 4 months ago
I am not famous enough to worry about having someone take any interest in hacking my Twitter account. I guess that is one of the modern benefits of being among the nameless, fameless masses. =)
wecandobiz
· 4 months ago
@ Anuj Seth
You are right. People have got into the habit of surrendering their Twitter login details to use Twitter-based apps and it will be hard changing users from this mindset, even pushing OAuth heavily to third party developers.
Incidentally, OAuth is pretty neat. We have it to enable Twitter users to sign straight in to our website. Many more people use this to sign in than our Facebook Connect option.
I doubt Evan Williams, co-founder of Twitter, is going to compromise the admin access by giving his login credentials to a third-party app...
I'm guessing the password was guessed through a dictionary attack, or he was phished.
wecandobiz
· 4 months ago
Yep, but I'm less interest in this ONE high profile attack and much more interested in the hundreds if not thousands of instances a day when Twitter users find their identity compromised, even if it's only a third party app using their account to tweet ads to their hard won follower list without their permission.
It's happening all the time and much of this is because people play fast and loose with their Twitter identities.
I just want to say, that I used Firefox and I had nothing but problems, especially with browser security. I used to get numerous Microsoft warnings about my security being breached, I have had to defrage my computer, which I did not appreciate and I have since, gone to Google Chrome. I am extremely happy with this browser and have had no security issues, whatsoever I think Firefox needs some revamping in order to get previous users to return. I do not appreciate all the problems I had. And, I have no inclination to use Firefox anytime time in the future.
John
· 4 months ago
These have nothing at all to do with Firefox.
Emily Fraser
· 4 months ago
How could they access @Ev's gmail, paypal etc via his twitter account? Mine aren't connected - are they?
redwall_hp
· 4 months ago
He probably uses the same password on the other sites, which generally is a bad idea. If someone figures your password for one site out, the first thing they do is go and try PayPal, as well as various email sites.
Mat Cendana
· 4 months ago
Oh darn! That's what I do too. Gonna change the one at Twitter NOW.
thelostagency
· 4 months ago
i agree just use different passwords for each, and use a quality password generator, not some free javascript module that you found through google, get something that makes decent passwords that are more than the bare minimum and not one that just uses numbers and letters.
you know there are spaces, symbols.....
VictorianRoseNY
· 4 months ago
Since I have been on Twitter, I have not had any problems.with Twitter's Security or my password being breached. I do find it hard to post blogs, but I am learning. There is a lot of junk on Twitter, but at least I can log in and tell the world how I feel about things or my mood of the day.
Chris
· 4 months ago
Wow, this article is very harsh. It also sounds very aggressive and as if they are attacking Twitter's work or security ethics. Did you know that Twitter compromises less than 40 workers I believe. And they don't make profit off of Twitter directly. And on top of that, Twitter is growing extremely fast in a social medium that has never really been touched yet and the foundation not have been built yet. Unless someone can start from scratch and do an overall better job then I wouldn't complain much. Hasn't anyone ever thought that people are getting better at hacking? WEP and WPA are child's play hacks nowadays and if any "famous" or "influential" twitter account gets accessed via that "secured" network data can be mined quite easily. Before you rag on a company about something I feel you should know all aspects of what you're talking about. peace
Shaquille Ray
· 4 months ago
I change my password every 3weeks to ensure that doesn't happen to my accounts. The internet is not safe, anyone at any time can access anything. I am going to wait for twitters response to this before i share this
Chris
· 4 months ago
wow, that's kinda stupid. not to be harsh but doing something like that means you're crazy paranoid (sorry) or you are oblivious to way the web works and too ignorant to learn how to protect yourself.
James
· 4 months ago
Am i missing something? So a twit exec's accountant got hacked - over, and over, and over again. Who cares? So someone gets a hold of my twitter account. Posts porn links through it to my loyal followers. Again who cares? This is the worst case scenario, just like my bookkeepers' facebook sending me an adultfriendfinder link yesterday. No big deal. Take a deep breath.
mixedSignals
· 4 months ago
It sounds like those accounts were "hacked" either through phishing or brute force password attempts. Either way, it's the fault of the users, not Twitter.
Joseph Manna
· 4 months ago
I would love to hear about their plans to address this, both fundamentally, technologically and legally.
iTbay
· 4 months ago
good luck trying to sell verified business accounts in the future when material documents have been released. Companies who have auditied financial statements will have a hard time relying on Twitter's internal controls - STUPID!
TaraEuphoria
· 4 months ago
If Twitter has Windows Op systems/servers - They need complete Lockdown %100 with Cyberforcefield http://cyberforcefield.com - A REAL solution- Were Here 4 you Ev - & The TwitterGang Contact us via our Website - OR @TaraEuphoria Smiles Tara Co Founder Timesavers International http://timesaversinternational.com/
johnbrundell
· 4 months ago
It is a good job we do not have to put our full addresses in our profile info. If full addresses were required then there would also be a risk of identity theft, as they could then use both name and address to obtain loans etc in your name.
anon
· 4 months ago
... People who post their real addresses and full names publicly online are pretty much asking for it.
Tara Blackman
· 4 months ago
If Twitter has Windows Op systems/servers - They need complete Lockdown %100 with Cyberforcefield http://cyberforcefield.com - A REAL solution- Were Here 4 you Ev - & The TwitterGang Contact us via our Website - OR @TaraEuphoria Smiles Tara Co Founder Timesavers International http://timesaversinternational.com/
Tara Blackman
· 4 months ago
If you want REAL security you have to use security software that WORKS!!! If Twitter has Windows Op systems/servers - They need complete Lockdown %100 with Cyberforcefield http://cyberforcefield.com - A REAL solution- Were Here 4 you Ev - & The TwitterGang Contact us via our Website - or @TaraEuphoria Smiles Tara Co Founder Timesavers International http://timesaversinternational.com/
Jared O'Toole
· 4 months ago
Twitter blew up so fast they didnt have time to take care of each small issue. Now there are just to many to keep track of. I dont really worry about it. Being online is a security risk and thats just something everyone has to deal with.
StartupBooster
· 4 months ago
Does Twitter has to approve all third party sites before they can accept users? or is it the case that any fly by night websites can use the API and start collecting user's information? I believe there are going to be issues when the security level at the third party sites are much lower than that of Twitter.
These third party sites collects the username and password for Twitter. How do we know they are real and how do we trust they will store the information in a secure place? I guess these are some fundamental questions that I would like to discuss about.
It's nice to see a tech blog with some ethics. Techcrunch has no morals.
Adryenn Ashley
· 4 months ago
It would only be an issue if you use a LIFE password. ie, if they hack your twitter and you use the same username, email and password for everything in your life. Then yes, I would say you are at risk.
The key is to have some internal security of your own. For throw away accounts that have little personal information, have one type of login, for banking and highly private accounts, have a super high strength password that you change often. That way if your easy accounts get hacked, you keep the good stuff locked up.
isforinsects
· 4 months ago
I disagree. I think that /people/ are insecure by nature. The basic security assumptions of the web are insecure. User chosen passwords, email and question based recovery are all inherently insecure systems.
spinchange
· 4 months ago
Stan, I think the confusion comes from the first paragraph. You never clearly state up-front, at the outset, that this post is prompted by the news of Twitter's *employees* personal and business info being leaked - and not through the site itself in this case, but through Google Docs, evidently.
You just start-in on the broader issue/context of general security problems before getting into the specific example.
I do applaud your choice NOT to publish the materials. There's not any point too since they're out there already. I do think elaborating on the facts of that story is more important at this time, than the broader story /analysis of Twitter's corporate & public IT security
1indienation
· 4 months ago
techcruch releasing the documents is WACKED. And nothing is private on the net.. but they do need to crack down on the hacked acct vulnerablities.
Asphi Nacter
· 4 months ago
I think it's pretty sad that you read every comment, Stan, and feel that you need to defend yourself with a counter point. In the article you clearly state that the account hacks were an issue with 3rd party apps and user negligence. As for the hack of the admins, that has to do with security outside of Twitter, which allowed for them to gain access to Twitter and other sensitive accounts. Stop crying about so many people "misreading" your article, it is not the reader's fault it's the writer's.
Miles T
· 4 months ago
I would hardly call this a "MELTDOWN", seriously. You can't blame Twitter for it's users (and admin's) poor choice in passwords. If you're using "bob123456" as your password then you deserve to be hacked for being ignorant enough to think you're safe. I learned my lesson when my blog was hacked and I now use cryptic passwords on everything and store them in a password vault that auto-fills so even if I have a keylogger installed it can't log a password. Try using something like !$rTzEE@##~549" as a password, you'll have much better success and this PERCEIVED "meltdown" will all go away.
I would hardly call this a "MELTDOWN", seriously. You can't blame Twitter for it's users (and admin's) poor choice in passwords. If you're using "bob123456" as your password then you deserve to be hacked for being ignorant enough to think you're safe. I learned my lesson when my blog was hacked and I now use cryptic passwords on everything and store them in a password vault that auto-fills so even if I have a keylogger installed it can't log a password. Try using something like !$rTzEE@##~549" as a password, you'll have much better success and this PERCEIVED "meltdown" will all go away.
I would hardly call this a "MELTDOWN", seriously. You can't blame Twitter for it's users (and admin's) poor choice in passwords. If you're using "bob123456" as your password then you deserve to be hacked for being ignorant enough to think you're safe. I learned my lesson when my blog was hacked and I now use cryptic passwords on everything and store them in a password vault that auto-fills so even if I have a keylogger installed it can't log a password. Try using something like !$rTzEE@##~549" as a password, you'll have much better success and this PERCEIVED "meltdown" will all go away.
I would hardly call this a "MELTDOWN", seriously. You can't blame Twitter for it's users (and admin's) poor choice in passwords. If you're using "bob123456" as your password then you deserve to be hacked for being ignorant enough to think you're safe. I learned my lesson when my blog was hacked and I now use cryptic passwords on everything and store them in a password vault that auto-fills so even if I have a keylogger installed it can't log a password. Try using something like !$rTzEE@##~549" as a password, you'll have much better success and this PERCEIVED "meltdown" will all go away.
I didn't realize you guys had those docs too. Glad you wrote this post.
New Following
· 4 months ago
I would hardly call this a "MELTDOWN", seriously. You can't blame Twitter for it's users (and admin's) poor choice in passwords. If you're using "bob123456" as your password then you deserve to be hacked for being ignorant enough to think you're safe. I learned my lesson when my blog was hacked and I now use cryptic passwords on everything and store them in a password vault that auto-fills so even if I have a keylogger installed it can't log a password. Try using something like !$rTzEE@##~549" as a password, you'll have much better success and this PERCEIVED "meltdown" will all go away.
YO THIS IS A POOR STATMENT, "there’s absolutely no reason to believe that being a Twitter user implies a security risk to your other accounts. " HAVING ANY SECURITY ISSUES WITH ONE ACCOUNT CAN LEAD TO THE TAKE OVER OF ALL ACCOUNTS, TOO MANY PEOPLE USE THE SAME PASSWORD FOR EVERYTHING. If someone's email password is the same as their twitter password, forgettaboutit!
Evelyn McCormack
· 4 months ago
Not good news for Twitter users...
Robert Burke
· 4 months ago
You are talking about Twitter security flaws yet you are stating that "such-and-such" a site has shown images of Evan Williams' PayPal, Amazon, Gmail and MobileMe. By saying it in such a manner, it makes it sound like they got this information through Twitter. YOu never made it clear that they might have gotten these through some other manner. I, at first, thought the same thing.
It's all in the grammar.
Thomas
· 4 months ago
So you claim that Twitter is having a "security meltdown" and your only proof is some idiot celebrities who used easy to guess passwords? Stupid people will always pose a security threat to themselves. That has nothing to do with the security of the service.
Larry
· 4 months ago
Agree with the footnote that no one should be concerned about their similar (paypal, gmail, amazon) accounts being compromised by this problem... but it does bring up the larger issue about the lack of security on SN sites in general and twitter in particular. I don't feel any of what's known here will result in any exploits exposing info deeper than what's ON Twitter, but it should be apparent that what IS there is wide open. Caveat Emptor... however we're not really 'buyers' cuz the service is free, and there may be a good reason for that and also why it's not looking so great for them to go commercial
Larry
· 4 months ago
Agree with the footnote that no one should be concerned about their similar (paypal, gmail, amazon) accounts being compromised by this problem... but it does bring up the larger issue about the lack of security on SN sites in general and twitter in particular. I don't feel any of what's known here will result in any exploits exposing info deeper than what's ON Twitter, but it should be apparent that what IS there is wide open. Caveat Emptor... however we're not really 'buyers' cuz the service is free, and there may be a good reason for that and also why it's not looking so great for them to go commercial
Kringle, A Corporation Sole
· 4 months ago
Does this even broach the topic of performance issues that severely hinder the site's usage?
Often, there is such a delay between what I type and its display on the screen that I rather choose to discontinue my efforts to "tweet".
If there is some sort of cyber-warfare going on, then isn't it time we push back?
the King
· 4 months ago
I think this line is where people get the wrong impression
"This same site (link omitted on purpose) now holds images from various personal accounts of Twitter co-founder Evan Williams, including PayPal, Amazon, Gmail (Gmail) and MobileMe (MobileMe). "
What is being implied in the article is ambiguous at best and sensationalist at worst.
What you should say is that "user inputted data in the Twitter administration area is subject to compromise", if that uis what you actually mean.
@gwoodard
· 4 months ago
This is no surprise. My specialty is outside what you call "Social Media", and I can tell you that compared to other computing this whole genre has a downright reckless attitude toward privacy and security. It is stunning actually. When business plans actually set out to acquire and leverage private user data, stories like this are predictable.
MichaelADeBose
· 4 months ago
I don't see how anyone can say this post discussing actual events, related to Twitter and some of its now multiple and very public security breaches, infers anything about the safety of Twitter user info. The inferences whether warranted or not, come from the actuality of these very public security breaches. That is not to say that because a Twitter server's password was "password" or that a breach or so described as a "hack" turned out to be social engineering, means Twitter user data is somehow unsafe. Is it possible that somehow the good people at Twitter could demonstrate lax regard for their own data and yet utter concern for user data? Entirely! Still if you use Twitter, a little extra caution should be exercised at the very least.
Bob
· 4 months ago
Sheesh, inflammatory language much? "Burn everything security-related down to the ground"? "Twitter needs to seriously rethink its attitude towards security"? You sound like a patronizing school principal.
Tim Acheson
· 4 months ago
This week Twitter’s own internal systems were hacked, along with the accounts of Twitter users including celebrities:
The point of entry wasn’t a gap in Twitter’s security. The hacker(s) gained access through a Google Apps account. The worry with a Google account is, it’s web-based and therefore only as secure as the rest of the Internet. If yuor Google account is compromised and you use Google Docs in a serious commercial setting, your Twitter account will be the least of your worries.
PeopleSearch
· 4 months ago
I think that they were just so wrapped up in their sites success that they totally ignored making sure that all of the security and loopholes were properly taken care of. Google People Search
PeopleSearch
· 4 months ago
I think that they were just so wrapped up in their sites success that they totally ignored making sure that all of the security and loopholes were properly taken care of. Google People Search
Attie
· 3 months ago
Very nice "clarification" at the very end. I know some are starting to doubt cloud computing because of Twitter's security breaches, but I'm glad you touched on the more obvious human errors that caused Twitter's meltdown.
Attie
· 3 months ago
Very nice "clarification" at the very end. I know some are starting to doubt cloud computing because of Twitter's security breaches, but I'm glad you touched on the more obvious human errors that caused Twitter's meltdown.
All Comments
http://www.passwordmeter.com/
Try until you get 100% then you will have a practically uncrackable password.
I don't really see a difference... ok the account cannot get hijacked... but at least people could post and delete (your) Twitter messages... for me... no difference.
I'm not familiar with who evan williams is, so it would have been nice of you to include who that was - is he celebrity, does he work at twitter? Also clarification of how they got the info - I mean you go into detail about someone gaining access to the accounts but you never quite say whether it was through a 3rd party sevice like twitpic or through twitter itself?
but do people realize just how cool your site is ?
http://searchles.com :)
I talked with you along time ago can called to ask about DO FOLLOW on your site :)
The title and content of this article imply to the casual user (and all of those who see the tweets and retweets) that their twitter account is a security risk, and a massive security risk when it involves Paypal. The "security issue" that allowed access to Twitter staff's paypal account was that their gmail account was hacked (and once you have email access, you can "forgot password" anywhere). Gmail account hacking had absolutely nothing (that I can see) todo with Twitter the webapp security. If anything that is a Gmail security issue, or a password complexity issue.
Now, that internal documents from Twitter were hacked and stolen is a Twitter THE COMPANY security issue, but it does not have anything to do with Twitter THE WEBAPP and certainly does not have anything to do with end users and their paypal accounts.
Shame on you Mashable.
What I have done in this article is point out to the various security issues that have plagued Twitter over the past months, and I've made sure to be very clear that these include several different types of problems - actual hacking of user accounts, Twitter employees' personal accounts being hacked, and (possibly) Twitter administrator area being accessed by a hacker.
Now, I've looked over the entire article and I do not see a trace of evidence to what you're suggesting. It's very clearly said that this latest incident has to do with Evan Williams' personal accounts.
However, I believe you are wrong when you say that it "does not have anything to do with Twitter THE WEBAPP." This is exactly the point of this article: the series of security incidents related to (various aspects of) Twitter shows that Twitter hasn't given enough thought or made a good enough effort when it comes to security - overall. Even if security of Twitter the web app is rock solid, the perception of it will be bad if incidents like these continue. I'm merely hoping they will raise the bar and improve their track record when it comes to security, that's all.
Now, you do raise a good point: a casual user seeing a retweet (or a retweet of a retweet) might get the wrong idea. For example, if someone links to this article in a tweet, saying something like "Twitter hacked!, EV's PayPal acc exposed" then yes, someone could get the wrong idea. But I don't see how I can prevent that - I've done all I can to word the article carefully so that someone doesn't misunderstand it, but I cannot control what people say in tweets and retweets.
So, this article takes this latest security issue, and ties it into the obvious pattern of security problems that have been pestering Twitter in the past couple of months. You and Dan are acting as if this is the only security-related incident that happened to Twitter. It is not.
Stan, I guess, next time you should clarify who the guys who you name in your articles are. First time I read your article I agreed it was impossible to understand what Dan were claiming, but after a while, I realized that it is impossible if you know Evan Williams is the CEO for Twitter, but if you don't know such thing (and there are millions of people who don't know such name and position), then casual readers can be mislead.
However, your clarification in the bottom of the article happily solves this problem.
<huge and bold>Twitter's Security Meltdown</huge and bold>
<subhead>This is serious. Twitter has a big security problem.</subhead>
How many people do you think actually go through and read (and grok) the actual article?
How about: "Twitter head has personal accounts hacked"? "Twitter's CEO runs into security problems"?
As Dan pointed out, the premise of your article isn't even valid -- what does someone targeting Twitter employee personal accounts have to do with the security of Twitter the app? If someone sifted through Steve Jobs' garbage and found a layout plan of an Apple conference room would you stop using your iphone due to security flaws at the company?
Twitter users should not be concerned.
http://bit.ly/aoxDc
In my opinion the only reason that Twitter has been able to avoid a mass exodus of users as a result of its problems is that is has built up such an enormous name for itself, not only online but offline. The ideology of Twitter was/is such a revolutionary idea that people are willing to overlook the blaringly obvious problems that exist with the service and simply accept them. They move on, they don't care, all they want to do is Tweet!
That is oppose to Google, built by two brilliant engineers. Their thesis, which introduced the foundations of the Google search engine, is an amazing piece of technological foresight. The G. founders thought from day 1 about indexing a blillion documents, when the web was much smaller. Here's Brin and Page's thesis, read it!
http://infolab.stanford.edu/~backrub/google.html
Google faced similar scalability, security and spamming issues over the years, but the underlying technology and brilliant engineers hired by Google made sure issues are handled properly.
Twitter was a side project of Odeo, a couple of years later, still behaves (from a technological view) as someone's side project. T. doesn't have technology in the company's DNA, and they will not be able to solve these issues anytime soon.
Could Twitter be the next source for a "War of the Worlds" (1938 Orson Wells Radio Program) but intentional, not accidental? Think about it.
You are right. People have got into the habit of surrendering their Twitter login details to use Twitter-based apps and it will be hard changing users from this mindset, even pushing OAuth heavily to third party developers.
Incidentally, OAuth is pretty neat. We have it to enable Twitter users to sign straight in to our website. Many more people use this to sign in than our Facebook Connect option.
Ian Hendry
CEO, WeCanDo.BIZ
http://www.wecando.biz
I'm guessing the password was guessed through a dictionary attack, or he was phished.
It's happening all the time and much of this is because people play fast and loose with their Twitter identities.
Ian Hendry
CEO, WecanDo.BIZ
http://www.wecando.biz
you know there are spaces, symbols.....
So a twit exec's accountant got hacked - over, and over, and over again.
Who cares?
So someone gets a hold of my twitter account. Posts porn links through it to my loyal followers.
Again who cares?
This is the worst case scenario, just like my bookkeepers' facebook sending me an adultfriendfinder link yesterday. No big deal. Take a deep breath.
Cyberforcefield http://cyberforcefield.com - A REAL solution- Were Here 4 you Ev - & The TwitterGang Contact us via our Website - OR @TaraEuphoria
Smiles Tara
Co Founder Timesavers International
http://timesaversinternational.com/
Cyberforcefield http://cyberforcefield.com - A REAL solution- Were Here 4 you Ev - & The TwitterGang Contact us via our Website - OR @TaraEuphoria
Smiles Tara
Co Founder Timesavers International
http://timesaversinternational.com/
Cyberforcefield http://cyberforcefield.com - A REAL solution- Were Here 4 you Ev - & The TwitterGang Contact us via our Website - or @TaraEuphoria
Smiles Tara
Co Founder Timesavers International
http://timesaversinternational.com/
These third party sites collects the username and password for Twitter. How do we know they are real and how do we trust they will store the information in a secure place? I guess these are some fundamental questions that I would like to discuss about.
-GD
http://www.startupbooster.com
The key is to have some internal security of your own. For throw away accounts that have little personal information, have one type of login, for banking and highly private accounts, have a super high strength password that you change often. That way if your easy accounts get hacked, you keep the good stuff locked up.
You just start-in on the broader issue/context of general security problems before getting into the specific example.
I do applaud your choice NOT to publish the materials. There's not any point too since they're out there already. I do think elaborating on the facts of that story is more important at this time, than the broader story /analysis of Twitter's corporate & public IT security
Cheers
Miles
http://www.newfollowing.com
Cheers
Miles
http://www.newfollowing.com
Cheers
Miles
http://www.newfollowing.com
Cheers
Miles
http://www.newfollowing.com
Cheers
Miles
http://www.newfollowing.com
RT
www.anonymize.tk
It's all in the grammar.
Often, there is such a delay between what I type and its display on the screen that I rather choose to discontinue my efforts to "tweet".
If there is some sort of cyber-warfare going on, then isn't it time we push back?
"This same site (link omitted on purpose) now holds images from various personal accounts of Twitter co-founder Evan Williams, including PayPal, Amazon, Gmail (Gmail) and MobileMe (MobileMe). "
What is being implied in the article is ambiguous at best and sensationalist at worst.
What you should say is that "user inputted data in the Twitter administration area is subject to compromise", if that uis what you actually mean.
http://www.timacheson.com/Blog/2009/jul/twitter...
The point of entry wasn’t a gap in Twitter’s security. The hacker(s) gained access through a Google Apps account. The worry with a Google account is, it’s web-based and therefore only as secure as the rest of the Internet. If yuor Google account is compromised and you use Google Docs in a serious commercial setting, your Twitter account will be the least of your worries.