Twitter Confidential Documents Leaked: 310 Sent to TechCrunch

by cyn.khoo | July 15, 2009 at 01:16 pm

761 views | 0 Recommendations | 0 comments

Hundreds of confidential Twitter documents were sent to TechCrunch, a well-known technology and Web 2.0 news blog, on July 14, 2009. The documents were sent by a hacker using the pseudonym "Hacker Croll", who told TechCrunch he had accessed hundreds of "confidential corporate and personal documents of Twitter and Twitter employees" and would release them publicly, before sending TechCrunch a zip file containing 310 confidential documents.

The documents include Twitter executive strategies, meeting notes, partner agreements, financial projections, calendars, phone logs, employee meal preferences, interview records, product plans, and pitches. TechCrunch staff have combed through the documents and decided to release those they consider highly newsworthy while keeping private those with personal implications for many individuals (such as unsuccessful interviewees who remain in current high-level jobs).

There is clearly an ethical line here that we don’t want to cross, and the vast majority of these documents aren’t going to be published, at least by us. But a few of the documents have so much news value that we think it’s appropriate to publish them.

According to Reuters, "hundreds of readers" condemned TechCrunch after the site published only one of the confidential Twitter documents, the original pitch for the much-discussed Twitter reality TV show that made headlines in May 2009. Twitter issued a statement on their official blog in response to the publicized leak:

"We are in touch with our legal counsel about what this theft means for Twitter, the hacker, and anyone who accepts and subsequently shares or publishes these stolen documents," Twitter said in an official blog post.

Reacting to the public outcry over releasing the documents, which swept TechCrunch comments, Twitter posts, and begot a trending topic and poll, TechCrunch published a second article defending their decision.

TechCrunch's reasoning included the points:

they are still withholding documents whose release would be personally detrimental to individual people
the documents are going to be published on the Internet anyway, regardless of TechCrunch's decision
TechCrunch did not obtain the documents unethically, but was given them outright
TechCrunch is not responsible for the fact that Twitter stored sensitive documents in a Google account protected by easily guessed passwords and recovery questions
most of the content on TechCrunch--and in fact nearly all good journalism--is based on such confidential information, leaked by one source or another
a TechCrunch 2006 post leaking confidential Yahoo documents about Facebook and a Wall Street Journal 2006 article with an internal Yahoo memo were cited as precedents

We publish confidential information almost every day on TechCrunch. [...] And it certainly was unethical, or at least illegal or tortious, for the person who gave us the information and violated confidentiality and/or nondisclosure agreements. But on our end, it’s simply news.

If you disagree with that, ok. But then you also have to disagree with the entire history of the news industry. “News is what somebody somewhere wants to suppress; all the rest is advertising,” is something Lord Northcliffe, a newspaper magnate, supposedly said. I agree wholeheartedly.

[I]f it lands in our inbox, we consider it fair game. And if we have reason to believe it will be widely published regardless of what we do, the decision isn’t a hard one. We throw out the information that is sensitive or could hurt an individual, and publish what we think is newsworthy.

Update (July 15, 2009):

Following up on the confidential documents breach, TechCrunch wrote a new article revealing what appeared to be a disconcertingly lax attitude towards security at Twitter. Based on information from yet another source, TechCrunch discovered and confirmed that the password to Twitter's servers, for instance, was "password", and that one of the usernames was "John", a co-founder of Twitter.

Twitter co-founder Biz Stone, responding to our email, said “this bug allowed access to the search product interface only. No personally identifiable user information is accessible on that site.” Although no user accounts were compromised or accessible, the vulnerability speaks to a greater culture of lax security at the startup, and may be indicative of how earlier breaches possibly occurred.