Reflections on Twitter-Gate and How to Protect Your Privacy Online

In case you missed it, there was some major drama in the world of social media last week between the widely read social media and technology blog, TechCrunch, and social networking’s newest darling, Twitter. Dubbed Twitter-Gate, the ruckus all started when TechCrunch, one of the foremost information brokers in the Silicon Valley, received a zip file full of 310 confidential internal documents from Twitter. Rather than sitting on the documents, TechCrunch decided to run with them, publishing juicy details about Twitter’s partner agreements, financial projections, and more.

 Image via TechCrunch

Naturally, the incident brought on much criticism of both Twitter, for insufficiently protecting their sensitive information, and TechCrunch, for opting to post the material despite the fact that it was illegally acquired. While there is certainly plenty of criticism to go around, I wanted to take a minute here at the ReputationDefender blog not to speculate as to who was right and who was wrong, but rather to remind people just how important is is to protect your privacy in the digital age.

First, let us examine how Twitter’s sensitive material was leaked. According to an article from TechCrunch, the hacker (known as Hacker Croll) was successful because he treated Twitter’s infrastructure as a “eco-system.” In other words, Hacker Croll viewed Twitter as a whole. Rather than seeking one point of entry, he collected information about everything related to Twitter, particularly employees. During his search, he uncovered access to a Twitter employee’s Gmail account which opened up a veritable Pandora’s Box of information including other e-mail accounts, social networking profiles, credit card numbers, and more.

TechCrunch breaks the attack down nicely in their article:

1. HC accessed Gmail for a Twitter employee by using the password recovery feature that sends a reset link to a secondary email. In this case the secondary email was an expired Hotmail account, he simply registered it, clicked the link and reset the password. Gmail was then owned.
2. HC then read emails to guess what the original Gmail password was successfully and reset the password so the Twitter employee would not notice the account had changed.
3. HC then used the same password to access the employee’s Twitter email on Google Apps for your domain, getting access to a gold mine of sensitive company information from emails and, particularly, email attachments.
4. HC then used this information along with additional password guesses and resets to take control of other Twitter employee personal and work emails.
5. HC then used the same username/password combinations and password reset features to access AT&T, MobileMe, Amazon and iTunes, among other services. A security hole in iTunes gave HC access to full credit card information in clear text. HC now also had control of Twitter’s domain names at GoDaddy.
6. Even at this point, Twitter had absolutely no idea they had been compromised.

As easy as it would be to criticize the unnamed Twitter employee for leaving their information accessible, it is probable that he took the same amount of care in protecting his account as 99% of the rest of us. Unfortunately, in a world where personal information is accessible at the mere click of a button, it is not good enough to be partially secure.

So what are some tips for managing your privacy online? First, use common sense. If you have your e-mail account listed online along with information about your favorite dog Bowser, then you shouldn’t make your password recovery question, “What is the name of my pet?” Furthermore, if you don’t already use separate passwords for all of your web-based accounts, start.

Many of us spend our entire day on the Internet. If you use the same password for all of your accounts, you’re literally putting everything in your life up for grabs. Remember, the best passwords are a combination of mixed-case letters, numbers, and symbols. Make your passwords memorable, but also unique. Something like “1p9g8y1″ is a lot harder to crack than “partyguy81.”

As more and more people turn to the Internet to share information, issues of privacy and Online Reputation Management will continue to be pushed to the forefront of popular culture. Taking proactive steps to protect your identity online now will pay enormous dividends in the future.