This is a good reason to use strong randomly generated passwords for every site you log into. You'll need a separate piece of software to keep track of them all, but it will stop this sort of thing from happening.

You'll need a separate piece of software to keep track of them all

I guess you'd need to protect this though...mother's maiden name, anyone?

Seriously, like has been said a thousand times before, security's only as strong as the weakest link.

If any employee has been divorced the ex has ALL information needed to get into anything they like including birth date, social security number etc.

What type of software would stop a more suave hacker who profiles employees to DATE one?

edit: my point being a two pronged approach is best. Protect your passwords and track anyone who tries to request lost passwords leave a trail that leads back to them (IP tracking, phone verification etc)

That's the combination on my luggage!

I think one problem here worth noting is Microsofts policy to recycle email addresses. They do it often and frequently. I've had mine recycle within a year. Never realized the hole it was leaving open. How can you fix something like that? I guess you have to keep every old email account active by using it periodically. Which is an awful idea since it is human nature to forget things we don't see or use.

So how can you safely retire an old hotmail account? I guess you could try to find all the sites and systems you used with that email. But even then you are likely to forget or miss a few.

Maybe there is an obvious answer, but it is too early in the morning for me. ;-)

I think one problem here worth noting is Microsofts policy to recycle email addresses. They do it often and frequently.

This would also apply to the email addresses on any domain that's been dropped and re-registered. So this security hole is already quite large.

another obvious thing that i haven't seen discussed much yet - and it is supreme irony in a case involving a microblogging service - is oversharing in public about your private life and how that exposes yourself in the "secret question" scenario.
not just "your mother's maiden name" but also birthdays, the names of your pets, favorite vacation spots, favorite color/whatever...

keep your personal life personal

that means OFFLINE

It's clear, a determined hacker will eventually build enough info to make a breakthrough.

I don't know there's an easy solution to all this, but, sharing passwords has to be one of the risky moves anyone can make.

You'll need a separate piece of software to keep track of them all

I guess you'd need to protect this though...mother's maiden name, anyone?

I use KeePass, which is open-source and very good. It stores passwords in a well-organized encrypted file which can be protected by a separate password. In my case, I have several dozen passwords protected by a single password that meets all the basic criteria - mixed case, no dictionary words, alpha-numeric with some symbols thrown in, nearly impossible to guess, but extremely easy for me to remember.

For me, the weakest link of this system is likely physical security, as I carry the password database around on a flash drive on my keychain...

For me, the weakest link of this system is likely physical security, as I carry the password database around on a flash drive on my keychain...

Two throughts. I remember a colleague finding a USB drive in a car parking lot. [webmasterworld.com]

What about reliability of the USB drive. Do you have a backup stored safely?

> I think one problem here worth noting
> is Microsofts policy to recycle email addresses

I think that is a perfectly fine policy.

What needs to happen here is that Google, Microsoft, Yahoo, and several other big providers need to come up with an API for each other to check if a username exists. If the username does not exist, then they don't send any email there.

I'm a little late reading this thread but I noticed that most posters seem to have misread how the hacker got in.

This is a good reason to use strong randomly generated passwords for every site you log into. You'll need a separate piece of software to keep track of them all, but it will stop this sort of thing from happening.

The hacker used email password recovery to have the password sent to him. The strength and randomness of the password, as well as whether or not it was used at another site, were irrelevant.

If any employee has been divorced the ex has ALL information needed to get into anything they like including birth date, social security number etc.

Information that would be quite valuable for convincing a diligent email password recovery interface to email the password, but would not necessarily get them into the target email account in order to retrieve it. There are indeed some websites that will let you reset as password without email confirmation, but they are rare.

What needs to happen here is that Google, Microsoft, Yahoo, and several other big providers need to come up with an API for each other to check if a username exists. If the username does not exist, then they don't send any email there.

The email account/username in question did exist, the hacker (re)created it. Unless you're saying that the above should consider an account name taken if it exists at any of the three? Not gonna happen :-)

The solution for this particular vulnerability seems pretty straightforward: Don't let your employees use web email accounts as their backup email. Everyone gets an ISP email address whether they use it or not and presumably companies like Twitter don't have any employees without internet access.

The hacker used email password recovery to have the password sent to him. The strength and randomness of the password, as well as whether or not it was used at another site, were irrelevant.

According to the article the same common passwords were used on multiple accounts...so if the target had separate passwords for each account, then this would have been limited to a single Gmail account being hacked.

I never retain a password that has been mailed to me. I will always go to the site and generate a new one after receiving a password recovery mail.

Prohibiting webmail seems a bit extreme. Just implement a reasonable pattern of regular password updating. You can force users to update their passwords in Google Apps. Perhaps Gmail and other webmail providers should institute a more stringent reconfirmation of a user's ID on a more frequent basis.

An interesting article I just came across that outlines some more points:

Opinion: Top 11 things to learn from Twitter security [computerworld.com]

1. Don't be afraid to suspend accounts that present a risk to you and your users.

2. Doing one thing right doesn't make you good at -- does not even mean you understand -- security.

3. Single sign-on should be limited.

4. Sensitive information must be stored internally.

5. Access control must be implemented.

6. Web-based password reset schemes are not appropriate for a corporate environment.

7. Implement misuse and abuse detection.

8. Security must be proactive.

9. You must control your own forensics data.

10. Social networking can cripple an organization.

11. If an idiot can do this, what will a savvy criminal be capable of?

The email account/username in question did exist, the hacker (re)created it. Unless you're saying that the above should consider an account name taken if it exists at any of the three? Not gonna happen :-)

Well, I am saying that the first time it was tried the hacker knew what the account was. During that step, Gmail shouldhave pinged hotmail and and hotmail said the act was doa, so Gmail should have purged that hotmail address from it's system and not allowed it to be used a 2nd time (which is when the pw reset link was sent to the freshly created hotmail act).

Ah ok, I understand now. In fact that's something Google could potentially do even without an API.