Massive Twitter breach underscores the problem with "secret questions"

Twitter's Evan Williams certainly isn't the first famous person to have a "secret question" figured out by a hacker, but I'm always surprised when someone in IT circles falls victim to such an elementary attack.

It's not news that secret questions are a terribly bad idea for enabling password resets or protecting account information. For a question to work, the answer truly needs to be a secret. In the case of celebrities, finding an answer can be as simple as digging around their Facebook profile or fan pages.

The end result of this particular breach: hundreds of documents in a zip file, which the hacker is happily passing around to various blogs (like TechCrunch, Mashable, and this one where screenshots have been posted already). The zip contains everything from plans for a new office and applications for high-level positions to the original pitch for the Twitter TV show (which I can't wait to not watch should it ever happen).

Though ultimately, the information is contained in the documents isn't the worst of it. More alarmingly, the hacker was also able to gain access to Twitter's domain registrar and the associated Gmail account. It would have been an easy step to alter the DNS servers and plunge the Twitterverse into chaos.

Clearly, people really need to start paying attention to things like this MIT report and the advice of their security-savvy friends.