Twitter/Google Apps hack raises questions about cloud security

Questions about cloud security and the feasibility of storing critical information in Web-based services are being raised in the wake of a hacking incident involving Twitter and Google Apps.

A hacker obtained and distributed more than 300 confidential documents pertaining to Twitter's business affairs that were stored on Google Apps.

12 tips for safe social networking

Insufficient password strength has been pegged as a root cause, but industry observers are debating whether Google or Twitter is most at fault. "It's not clear to me whether it's a black mark on Google or a black mark on Twitter at this point," says Pund-IT analyst Charles King.

Shortly after the data theft was reported, Twitter CEO Evan Williams used his own Twitter account to note that he was "having a bad night."  

Google has bolstered the security of its office productivity tools, for example earlier this year adding a feature that lets administrators set password length requirements and view password strength indicators.

But Gartner analyst John Pescatore says customers should remember that "Twitter and most of Google Apps until, say, 18 months ago, were built as consumer-grade services to share information very widely and easily, not to protect information and prevent information from flowing."

Twitter, for its part, absolved Google Apps of any blame in a blog post Wednesday by Twitter co-founder Biz Stone. Rather than any vulnerability within the Google service, Stone said the incident speaks more to the importance of choosing strong passwords.

"About a month ago, an administrative employee here at Twitter was targeted and her personal e-mail account was hacked. From the personal account, we believe the hacker was able to gain information, which allowed access to this employee's Google Apps account which contained Docs, Calendars, and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company. Since then, we have performed a security audit and reminded everyone of the importance of personal security guidelines," Stone writes. "This attack had nothing to do with any vulnerability in Google Apps which we continue to use," Stone continues. "This is more about Twitter being in enough of a spotlight that folks who work here can become targets. In fact, around the same time, Evan's wife's personal e-mail was hacked and from there, the hacker was able to gain access to some of Evan's personal accounts such as Amazon and PayPal but not e-mail. This isn't about any flaw in Web apps, it speaks to the importance of following good personal security guidelines such as choosing strong passwords."

Google issued a statement in response to a request from Network World, but did not comment specifically about the Twitter data exposure.

"We are highly aware of the importance of our users' data, and we have extensive policies and procedures in place to help provide high levels of data protection," Google said. "We haven't received any communication from customers about this issue, and therefore we can't confirm or comment on specifics at this time."