Passwords Not Taken, But Password System Source Code Said Stolen
In today’s New York Times, there is a fascinating and disturbing story shedding more light on the hack attack on Google that occurred in January and led to its pullout from China. According to the story, hackers stole the source code to Gaia, which the Times says is, "one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s Web services, including e-mail and business applications."
The Times story, citing "a person with direct knowledge of the investigation", reports that Google’s passwords were not taken, but the worry is that the hackers will now be able to find a weak spot in the password system that Google does not know about and exploit it. Google has taken measures to protect against that threat, but unless it completely rewrites Gaia (something very unlikely), a risk remains.
The Times says that "The theft began with an instant message sent to a Google employee in China who was using Microsoft’s Messenger program … By clicking on a link and connecting to a ‘poisoned’ Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team."