By Brian Czarny
This week it was impossible to escape the “big news” that Twitter got hacked. The French hacker, known as “Hacker Croll,” who made headlines back in May for a similar Twitter breach, was at it again. This time he managed to get his hands on at least 310 sensitive Twitter business documents by gaining access to an employee’s email account, subsequently using information found in that account to then access the employee’s Google Apps account to steal the confidential company documents. The hacker sent the documents to TechCrunch, who then chose to publish them along with an account of the breach.
This highly publicized breach got people talking, and ignited a wave of speculation about two things: first, about the security of passwords and how easy it is to guess the answer to someone’s security question based on publicly available information found on social media sites; and second, about the security of data stored “in the cloud” – in this case, Google Apps.
Oh no, the sky is falling!
Our data isn’t safe in the cloud!
On the second point, let’s not take this too far. This incident has little to do with the security of the cloud apps themselves. It is much more about the first point and the security practices that users of all Web sites and applications – whether they are banking sites, social media sites or cloud applications – should be employing in their day-to-day use.
The key learning end users should take from this incident is that password security is critical, both in terms of the passwords you choose as well as the amount of data you expose publicly through social media sites like Twitter and Facebook.
Twitter spells this out on its blog response and even Hacker Croll himself articulates that his intention is to teach people a lesson about the security holes in secret questions:
“What I would like to say is that even the biggest and the strongest do silly things without realizing it and I hope that my action will help them to realize that nobody is safe on the net. If I did this it’s to educate those people who feel more secure than simple Internet novices. And security starts with simple things like secret questions because many people don’t realise the impact of these question on their life if somebody is able to crack them.”
Coincidentally, just three weeks ago, Webroot published our own research data about risky behavior from a survey of 1,100 users of social networks – and considering the Twitter breach, the results are not surprising:
- About one third of the respondents said they include at least three pieces of personally identifiable information and over one third use the same password across multiple sites
- Two-thirds of respondents said they do not restrict any details of their personal profile from being visible through a public search engine like Google
- Over half aren’t sure who can see their profile
As for the takeaway for businesses from this incident, the real story here is the increasing prevalence of social media usage in the workplace and the potential security risk it represents.
- Nearly 70% of businesses allow Social Media usage in the workplace*
- 75% of employees are using social networking sites such as Facebook, MySpace and LinkedIn for legitimate business purposes*
For businesses, we need to start talking more about the proliferation and usage of social media and Web 2.0 in the workplace and how to implement effective Web security measures to protect networks from threats and the potential loss of sensitive data.
Twittergate (as it’s being called) is a reminder of how important Web security is – for both business and personal use and that grey area in between.