Twitter on Thursday revealed that a hacker who figured out the personal email password of a company employee was able to steal a number of sensitive internal documents.
The thief, who used the alias “Hacker Croll,” was able to gain access to an administrative employee’s personal email account, which granted the intruder access to that worker’s Google Apps account. The account stored sensitive Twitter communications, including financial reports and plans for a reality show based on the popular microblogging service, according to TechCrunch, a tech blog that received more than 300 documents from Hacker Croll and decided to publish some on Wednesday.
Biz Stone, Twitter co-founder, said in a blog post that the hack, which happened about a month ago, did not impact any Twitter member accounts.
The intruder was able to gain access to the employee’s email account by correctly guessing the password, he said.
“This attack had nothing to do with any vulnerability in Google Apps, which we continue to use,” Biz Stone, Twitter co-founder, wrote in a blog post Wednesday. “This is more about Twitter being in enough of a spotlight that folks who work here can become targets.”
“This isn’t about any flaw in web apps,” he added. “It speaks to the importance of following good personal security guidelines, such as choosing strong passwords.”
One of the documents that TechCrunch published was a proposal for a reality show called “Final Tweet,” which would pit entrepreneurs against upstart nonprofits who would rely on their Twitter followers as they compete for a $100,000 prize. Another file showed Twitter’s company projections through 2013, when it expects to have one billion users and generate annual revenues of $1.54 billion.
“Obviously, these docs are not polished or ready for prime time and they’re certainly not revealing some big, secret plan for taking over the world,” Stone wrote. “Nevertheless, as they were never meant for public communication, publishing these documents publicly could jeopardize relationships with Twitter’s ongoing and potential partners.”
The incident brings to mind a similar ploy used to gain access last year to former Alaska Gov. Sarah Palin’s Yahoo email account. The suspect in that case, a University of Tennessee student named David Kernell, was indicted last October. He since has pleaded innocent and is awaiting an October trial.