We received a response late Wednesday from Google regarding criticism of the security for cloud-based
software products for businesses such as
Google Apps, in light of
the reported hacking of Twitter employees' Gmail accounts that was accomplished, according to the hacker, by means of the
e-mail service's password recovery mechanism.
A Google Enterprise spokesman points to the company's Online Security Blog, where, not surprisingly, there is a discussion of password strength and password recovery protocols for the enterprise versions of Google Apps such as Gmail:
"We handle password recovery differently for our Google Apps customers. There is no password recovery process for individual Google Apps users. Instead, users must communicate directly with their domain administrator to initiate password changes on their individual accounts," writes Macduff Hughes, an engineering director at Mountain View, Calif.-based Google.
Interesting -- it seems some important piece of information is still missing in the Twitter hacking story, if the password recovery process for Twitter's Gmail accounts isn't really similar to the old Yahoo mail mechanism that led to Sarah Palin's e-mail getting hacked last year via fairly simple social engineering.
The hacker does claim to have broken into Twitter employee-owned accounts for non-Google services such as Facebook and PayPal as well, so maybe the password recovery exploits "Hacker Croll" boasts of were used to crack those accounts but not Gmail.
Or maybe Hacker Croll is just leading us all down the garden path.
