Zhu Zhu Pets, the battery-powered hamsters that became a huge kiddie craze this holiday season.
(Credit: Cepia LLC)With toy store shelves and television commercials chock full of eye-popping video games and fancy tech playthings, it came as a surprise to many that some of the hottest toys this holiday season were inexpensive, relatively low-tech battery-powered hamsters imported from China called Zhu Zhu Pets. The fuzzy toy rodents manufactured by Cepia LLC, which came in models with names like "Num Nums" and "Mr. Squiggles," could barely stay on shelves for most of the end of 2009, and nobody really saw it coming.
For avid eBay sellers, it was the perfect recipe for profits--if they managed to jump on the trend early enough.
Jorge, a field inspector for a Southern California insurance company, had no idea what Zhu Zhu Pets were when his daughter asked for one for her seventh birthday late in the summer. "She saw the commercial on TV and asked me for a Zhu Zhu Pet," Jorge, who asked that his last name be withheld, told CNET via phone. "I went to my local Toys-R-Us, where I have friends who work there. I asked for the Zhu Zhu Pets. They didn't even know what it was. They had four of them, but they'd promised them to some lady in LA."
This is what piqued Jorge's interest: He, and his local Toys-R-Us, are hundreds of miles away from Los Angeles. Someone far away was looking for these toys, which signaled to him that they must have been, for one reason or another, difficult to obtain. This was relevant to Jorge because, as a side project, he'd been selling toys on eBay for about a year.
The story began, as so many do these days, with unfortunate circumstances induced by the recent recession. "The reason why I got into eBay was that I was laid off from work. I was off work for about 10 months," he related to CNET. As the parent of a young child, he had an in-house market research indicator. And when he found a new full-time job, he had to accept a significant salary cut, so he kept selling toys. "Going through eBay has afforded me to survive."
He ended up buying seven Zhu Zhu Pets, all for the market price of about $8. He kept one for his daughter's birthday. The rest, he put on eBay. They were sold the same day. For the next few months, Jorge's e-commerce hobby turned into a combination of an intense strategy game and the low-grade '90s comedy "Jingle All The Way," about the hyper-competition over a hard-to-get holiday toy (which starred, somewhat ironically, the actor who is now governor of the state where Jorge was undertaking his Zhu Zhu Pets retail operation).
"That week, I started picking them up, buying them anywhere I could--Wal-Mart and Toys-R-Us were the only two that were carrying them at the time," Jorge said. "I never held any of them for more than a day. I would find out when Toys-R-Us was getting their next shipment. Wal-Mart would get their trucks later at night, so I'd go at 10, 11, 12 o'clock at night to Wal-Mart, go home, and put them on eBay. By the time I woke up in the morning, they were sold."
This is right about when the trend began to take off. eBay says that from August to September, sales of Zhu Zhu Pets and related items (that is, "accessories" for the little furballs) escalated 1,500 percent. Between October 15 and November 15, four times as many Zhu Zhu Pets were sold as had been sold in the entire year to date. At the beginning of Thanksgiving week, they became the top searched term on the site. Over 100,000 were sold in the first week of December. A scare over potential recalls and toxic materials in "Mr. Squiggles" didn't do a thing to slow down the momentum.
Gambling on boom times
Jorge, for one, began to focus his eBay operations almost exclusively on Zhu Zhu Pets, though he said he did keep selling a few other surefire holiday hits, like the Mattel brain-game system MindFlex. Other products were relegated to the back burner as the average price for a Zhu Zhu Pet on eBay started to skyrocket from somewhere around $20 to a peak between $40 and $50. This is the reality of being a certain breed of e-commerce seller: You have to be ready for the rush, and equally ready for the day when a retail fad will suddenly fall back down to earth.
Remember back in high school or college biology class, when the curriculum turned to evolution and explained the competing theories of gradualism versus punctuated equilibrium? It's not all that different from the disparate strategies that eBay merchants can pursue. E-commerce sellers can opt to maintain a steady, fairly traditional electronic storefront with a wide selection of goods. Plenty of them make a very stable living this way, though it can take snails-pace growth to get there.
For someone like Jorge, capitalizing on the hottest trend of the moment, profits can come quick if you're lucky. But it's a far riskier gamble, and boom times can be interspersed with long periods of stagnation before the seller in question manages to seize the proper timing and supply-chain structure again.
But wait, there's more! Power sellers of Zhu Zhu Pets also profited from selling accessories for the little robotic hamsters, like this 'adventure ball.'
(Credit: Cepia LLC)Though he's been involved in eBay sales for over a year now, Jorge said he hasn't become actively involved in the e-commerce site's "power seller" community. He did, however, say that competitors started to encroach upon him quickly. "At first, I was the only one buying [Zhu Zhu Pets], so that was nice, and no one was paying attention to them, but there were other collectors in the area who saw what these things were going for, and it became kind of hectic," he told CNET.
It got ugly. "I had at least 5 to 10 collectors that I had to compete with just in my city," Jorge said. "It got to the point that they knew who I worked for and started complaining. (My employer said) that whatever I do on my lunch time and my break time is my business." He even encountered a local Wal-Mart employee who would buy up Zhu Zhu Pets with an employee discount and then put them on eBay--they're allowed to do this, he said, as long as they aren't on the clock; Toys-R-Us, on the other hand, doesn't permit employees to purchase inventory and then resell it online.
Jorge said that he never purchased Zhu Zhu Pets online to resell, saying it simply wasn't profitable. The only way that he could make money off the sales was by purchasing the hamsters in brick-and-mortar stores, but that was growing increasingly difficult as toy stores started to impose limits on how many hamsters a single customer could buy in a day.
So Jorge got even more strategic. "I recruited some friends. I had, any week, between 5 and 10 friends. I'd give them the money and they'd get what I needed," he said, adding that in return he offered them compensation but that most turned it down. "I think they enjoyed the rush. They're very competitive individuals." He added that another friend works as a truck driver who regularly makes cross-country trips, and that he would check for Zhu Zhu Pets in the cities where he stopped., bringing them back to Jorge.
Ruthless? Maybe. Jorge's tactics proved controversial to some.
"I got hate mail from moms who bad-mouthed me for picking up Zhu Zhu Pets when they weren't able to pick them up for their children during Christmas," he said. "I e-mailed them back and let them know to find out when their stores were receiving the shipments. I told them Toys-R-Us is pretty good about telling you when they receive their shipment and that they know 24 hours ahead of time what's going to be on the truck. You just need to show up early."
He said that Zhu Zhu Pets must have been more difficult to obtain on the East Coast, particularly New York, as that's where he shipped the vast majority of the toy hamsters. His top buyer was actually the owner of a store in Brooklyn who wanted to be able to restock his shelves. But eBay says that the Zhu Zhu Pets trend was nationwide: The region that bought the most Zhu Zhu Pets off the site was actually the Bay Area city of Alameda, Calif. In second place was Stillwater, Minn., followed by Shelton, Conn.; St. Paul, Minn; and Bethlehem, Penn.
When CNET spoke to Jorge late in December, he'd sold as many as 500 Zhu Zhu Pets and pocketed as much as $6,000 in profits from the hamsters and accessories. But now that the holidays are over, the demand has more or less vaporized. "It's kind of died down right now, so I'm not selling them," he said. "I have my eye on them to see if they'll come back up."
The cutthroat competition didn't faze him, either; in fact, Jorge said, he'd love to do it again. He's hoping to be ready for the next big retail fad. "I constantly try to monitor through newspapers or through the Internet to see what's hot and what's not," he explained. "Then I go to my local stores to see if they're selling. I have friends who work at Toys-R-Us and Wal-Mart, and I always ask them what people are asking for."
It's not clear whether someone like Jorge, who experienced big-time success with a hot holiday gift trend, will immediately be able to seize another hit before it happens--the numbers of factors that have to be in a seller's favor is more or less on a par with total planetary alignment. That said, because being an eBay merchant isn't his full-time job, Jorge is able to operate on the fast, anticipate-the-demand principles that could prove too risky for someone whose e-commerce storefront is a primary source of income. But regardless of the uncertainty, he's looking forward to keeping it up.
"It pays the bills," Jorge said.
Facebook isn't just for kids anymore, but it looks like Disney's still an admirer: The entertainment conglomerate has nominated Sheryl Sandberg, chief operating officer of the massive social network, to its board of directors.
In a release Wednesday, Disney made the announcement and stated that shareholders will vote on Sandberg's nomination (along with the re-election of its 12 current directors) at the company's annual meeting on March 12 in San Antonio, Texas.
Facebook COO Sheryl Sandberg
(Credit: Corinne Schulze/CNET)"Sheryl has been at the forefront of a technological revolution that's opened up a world of new possibilities for consumers and which has greatly affected the way we do business," Disney CEO and president Robert Iger said in the release. "Her unique insight, born of great practical experience, will be of considerable value to Disney's shareholders."
Sandberg was named to the COO position at Facebook last March, following the departure of executive Owen Van Natta, who is now CEO of the News Corp.-owned MySpace. Sandberg has since become one of Facebook's chief liaisons with the media and advertising industries, speaking at numerous conferences to pitch the social network's ad and marketing products.
Prior to her hire at Facebook, Sandberg was a sales executive at Google and chief of staff for the U.S. Treasury Department.
So where does Disney stand in the Web 2.0 world? It owns kiddie virtual world Club Penguin, which it acquired for $350 million well before the real hype began over social games and virtual goods. It's also reportedly in talks with Apple to become part of the tech giant's potential subscription TV service, and this spring became a partner in joint video venture Hulu alongside original partners NBC and News Corp.
Earlier this week I wrote a post about how I didn't like that I couldn't alter the Facebook Connect privacy settings for updates from Foursquare, an iPhone app that shares my location through a GPS-enabled city directory. It didn't make sense to me that Facebook Connect information was automatically visible to anyone who had access to posts on my "wall," whereas privacy settings on a third-party app embedded directly on my profile were much more fine-tuned, allowing me to restrict them to specific subsets of friends.
I've been e-mailing back and forth with Facebook, and I've gotten some clarification on how the process works. Privacy controls for embedded apps aren't as simple as I'd thought. I can opt to block the "box" for a third-party game like Mafia Wars or Farmville, as the privacy controls indicate, but activity from those apps--i.e. if I just picked up a new weapon in Mafia Wars--will still show up to anyone who can see what I post on my Facebook wall, like status messages and new friend connections. (You can, however, block individual Platform apps from posting to your wall in the first place.)
"Activity from apps and Connect sites are grouped with the activity you take on Facebook (which then appears on your wall), all of which can be blocked from a select group of people using publisher privacy," Facebook representative Malorie Lucich explained to me via e-mail. "So, for example, if you don't want your boss seeing your Mafia Wars activity and your usual Facebook activity, you can block her/him from viewing your wall."
Everything on the wall, therefore, is treated as a single unit. Except not quite: With status messages and content posted directly through Facebook, as part of Facebook's new privacy controls there's now a drop-down menu that lets me choose exactly who can see that message--the public Web, friends of friends, only my friends or "networks," or stratified groups of friends. That's great, because I can post a status message asking for Christmas present suggestions, and opt to block it from my family or other potential gift recipients.
For third-party apps, I'm not so lucky. I'm sure I wasn't the only Facebook member who figured that blocking the Mafia Wars "box" from a certain list of friends would also block activity updates on my wall. According to Facebook, it doesn't.
I'm also sure I'm not the only one who would like to use Facebook Connect with a service like Foursquare that isn't normally public; I liked some of the comments that would appear on "check-ins" pushed to Facebook (when I checked into a restaurant, for example, a few people responded with their favorite menu items, and another asked about the variety of beers on tap). But wanting to keep them restricted to half or a third or a quarter of my Facebook friends is not always just a matter of privacy--the majority of my Facebook friends have no interest whatsoever in which coffee shop I just checked into on the likes of Foursquare or Gowalla, and out of courtesy I don't want to plaster it all over everyone's news feeds. I'd like Foursquare's implementation of Facebook Connect, theoretically, to only be visible to close friends and people who live nearby.
Facebook is, and should be, proud of the wealth of data that gets shared on members' "walls." On Friday morning, I used my status message to solicit tips for an upcoming tropical getaway, and got some terrific suggestions from people in my "social graph" whom I hadn't talked to in ages. This was a great example of something that I'd like to open up to my entire Facebook network. But when it comes to information that's local, sensitive, or otherwise private, I'd like to be able to restrict it. As Facebook Connect grows bigger and more diverse, these instances are likely to come up more often.
So if I had to come up with a most-wished-for new Facebook feature, this might have to be it.
This ticked-off cat isn't too thrilled about the snow, but plenty of online retailers are.
(Credit: Caroline McCarthy/CNET)A blizzard that pelted much of the Eastern Seaboard with over a foot of snow also led to a spike in last-minute online holiday shopping last weekend, traffic firm ComScore said Tuesday.
Online shopping continues to eat up a bigger chunk of holiday retail each year, but this season, with roads snowbound and temperatures well below freezing in some of the most populous areas of the country at the tail end of the holiday season, it was even more than usual. (Several cities in the mid-Atlantic, like Philadelphia and Washington, D.C., pulled in more snow in a single snowfall than they typically do in an entire season.) For the weekend of December 19-20, U.S. traffic to non-travel retail sites was up 13 percent from the equivalent weekend last year--and on Tuesday, December 15, right when the storms started hitting weather forecasts, it was up 21 percent.
That Tuesday marked the biggest online spending day in history, ComScore says.
"The major snowstorms hitting the eastern seaboard over the weekend appear to have given holiday e-commerce an additional boost, resulting in the heaviest online spending week on record at $4.8 billion," ComScore chair Gian Fulgoni said in a release. "Consumers have clearly continued to spend online later into the season this year, with several very strong spending days in the most recent week including the heaviest online spending day in history--Tuesday, December 15, with $913 million. Retailers have been very aggressive with late season promotions while informing consumers that they could still get their purchases shipped in time for Christmas, and these tactics seem to be paying off."
A survey from Coremetrics said that sales for "Cyber Monday," the Monday after Thanksgiving and typically a day for big online deals, showed healthy gains this year.
A Foursquare check-in posted to Facebook through Facebook Connect.
(Credit: Facebook)Privacy on Facebook has been front and center this month as the company has rolled out the controversial revamp of its user privacy settings. One thing that's thankfully stayed intact has been the ability to restrict the third-party applications on your profile to specific "lists" of friends--so that you can, for example, block your Mafia Wars activity from everyone who's not on your "People Who Know About My Mafia Wars Addiction" list.
Dopplr, an app that you can install as a 'box' on your Facebook profile, has privacy controls that allow you to block it from various groups of your friends.
(Credit: Facebook)But for stuff on my profile that was published through Facebook Connect rather than an app "built" on the platform, this is not the case. For some reason, information published to Facebook through Facebook Connect does not have any privacy controls attached to it, so it's either available to everybody or nobody.
To backtrack a little bit, Facebook first rolled out developer-created applications in the summer of 2007, and then a year later introduced Facebook Connect, which lets users log into third-party sites (and iPhone apps) from their Facebook profiles and publish content back to Facebook.
Facebook Connect apps that publish content back to Facebook profiles (which have additional permissions from those that simply let you log in with your Facebook ID) are grouped alongside the original variety of platform apps in Facebook's "Application Settings" privacy controls section. But the Connect apps don't have a "Profile" tab in their settings, because there isn't an embedded "box" for the app--just what shows up in your News Feed.
"We are evaluating adding post-level privacy settings for stories created through external developers, but for the time being, there is currently no difference between the settings for applications and Facebook Connect activities," Facebook representative Malorie Lucich told CNET via e-mail. "So, while you can control who sees the applications living in your profile boxes and application tabs, you currently cannot granularly control who sees your application activity in your feed."
I discovered this when I was testing out the new Facebook Connect feature on geo app Foursquare, one of the many mobile apps that lets you "check in" to different establishments and broadcast it to your friends from your phone. Foursquare will let you choose before you check in whether you want to broadcast that location to Twitter, and co-founders Dennis Crowley and Naveen Selvadurai tell me that a selective "share this on Facebook" button is coming alongside the Twitter button in a future version of its iPhone application. That'll help a lot, because right now, it'll share all of your check-ins to Facebook or none of them.
In the meantime, I decided to see whether I could restrict Foursquare's Facebook Connect publishing to one or two of my stratified Facebook friends lists--I mean, I don't need to clog all those news feeds up with a day's worth of check-ins, and my boss doesn't need to see that I checked in at Tom & Jerry's Bar after midnight on a weekday. (Not that I'd ever do that.)
Those settings don't exist for Foursquare, though, which takes the form of a Facebook Connect implementation rather than an embeddable app.
(Credit: Facebook)Unfortunately, because you can't modify privacy controls for a Facebook Connect app, this means I can either show actions to all my friends (my profile is friends-only by default) or none of them. This appears to be the case for everything that's published to Facebook through Connect rather than an app--the same applies, for example, to Foursquare competitor Gowalla.
Right now, Facebook's Malorie Lucich explained to CNET, Facebook Connect posts are treated as "wall" activity. "With Facebook Platform applications and Facebook Connect, users always have control over whether or not they want their activity published to their feed for their friends to see," she wrote. "You can also control who sees your overall activity on Facebook by setting who can see 'posts by me' on your privacy settings page. This will limit who can see your Wall."
"As outlined in our (developer) roadmap, upcoming changes will make it easier for users to directly communicate with their friends about applications and Facebook Connect activity via the inbox," Lucich's e-mail continued. "Additionally, profile boxes and the boxes tab will be removed, making application tabs the sole way to integrate applications statically with your profile--and you will continue to be able to control who sees that content."
But Facebook Connect is huge. More than 80,000 third-party sites are now participating, and not all of them deal with publicly available content (i.e. Yelp reviews, photos uploaded to Flickr, comments on Digg). Privacy controls here are something that Facebook could certainly improve; the company says that plans for data permissions are still evolving.
This post was expanded at 4:46 p.m. PT with comment from Facebook.
This one's a surprise. Twitter will have turned a profit in 2009, a BusinessWeek report claims, citing sources. What happened? Search deals with Google and Microsoft brought in a nice chunk of cash for the company, which has raised well over $100 million in venture capital and has a paper valuation floating somewhere around $1 billion.
Considering the company has not yet put forth a long-term revenue strategy, this would be one of those Christmas miracles along the lines of a neurotic mom getting home to her stranded 8-year-old by fortuitously hitching a ride with a polka band fronted by John Candy.
So let's look at the details. Sources told BusinessWeek's Spencer Ante that Twitter's search deals with Google and Microsoft's Bing brought in $15 million and $10 million respectively, and that Twitter has managed to cut some of the high costs related to text-message functionality. (These costs were so exorbitant that Twitter temporarily had to restrict some international SMS codes.) OK, cool. Those numbers are decently plausible, and Twitter's strategic hire of a mobile business-development dude early this year likely had something to do with it. And Ante's article makes it clear that while sources have told him that Twitter will end 2009 on a profitable note, that doesn't mean it's going to be profitable next year.
But there's a difference between being cash-flow positive and being profitable, and it's also not totally clear as to what Twitter's other expenses are, or what they will be next year.
Ante writes:
Now that Twitter has become so popular, it has gained bargaining power with telecom companies and has managed to renegotiate so many deals with carriers that the company pays far less for the services. "Those used to be the biggest line item," says one source. "Generally speaking, those costs have gone away. Now people are the biggest line item."
People. Yes. Like the new office space they just moved into, and their still-expanding payroll, and stuff like that. Also: hardware, and other forms of defensive weaponry against evil whale attacks. The company also sometimes buys stuff, and continues to develop new features--like the current test of "contributors" accounts that it may end up charging for. So even with costs cut via a savvier mobile strategy, there are plenty of other costs that could be escalating simultaneously.
What's good news for Twitter is that getting $25 million out of search deals (if that's indeed true) shows that the company could expand that into a stronger long-term revenue strategy. Critics have been lukewarm on the possibility of Twitter attempting to support itself with advertisements or paid accounts, and nobody's really gone into depth on the question of whether the businesses currently raving about Twitter's power of "conversation" will cough up for more in-depth analytics.
Maybe they read the Yelp review that says Google's headquarters is infested with skunks and raccoons.
Just a few days after reporting that Google was about 80 percent likely to be acquiring business reviews site Yelp for a totally sweet $500 million, TechCrunch has backtracked. Late Sunday, TechCrunch reported that Yelp CEO Jeremy Stoppelman personally walked away from the deal and that company representatives informed Google over the weekend they aren't selling.
That's odd. People seemed to think it was generally a good deal. TechCrunch isn't exactly sure what went wrong but speculates that Yelp may have gotten a better offer for a potential acquisition or strategic partnership that caused it to bail.
What could also have something to do with it: Google does a lot of things very, very well, but one thing it's never nailed is community. (Knol most certainly didn't kill Wikipedia, Orkut was big in Brazil but then faded in the wake of Facebook's growth, and YouTube's commenters seem to come from a very special place somewhere between the sixth and seventh circles of hell.) That's evident from looking at what Yelpers had to say about the potential deal last week. Proudly opinionated and devoted to the Yelp brand, many Yelpers were concerned that a Google buyout would degrade the site's sense of community--something that could, effectively, kill it.
Perhaps Yelp's execs thought the same and figured that strategic partnerships might be a better route for now.
Looks like Facebook will be throwing another big "F8" developer conference in the spring, after taking 2009 off. According to a sparse post on the company's developer blog, the event will be held April 21 and 22 in San Francisco. No more details are currently available.
"F8 has always been about empowering a community of developers to hack, to build and to delight users," the post reads. "We're looking forward to continuing this tradition at our third F8 in San Francisco on April 21-22, 2010. Please save the date!"
This is a big deal because Facebook's past two F8 conferences have marked the debut of some of its biggest products: in 2007, the groundbreaking Facebook developer platform, and in 2008, Facebook Connect. It's likely that the 2010 version will involve some kind of high-profile launch, too.
What could it be? The obvious possibility is Facebook's long-rumored payment platform or virtual currency system, which currently only powers the internal "gift shop" feature along with a few test developer apps and nonprofit partners. This is more or less Facebook's worst-kept secret: it's been in development for quite some time, but appears to have been repeatedly modified internally. Once said to be a straight-up PayPal competitor called "Facebook Wallet," the project has evolved to fall more in line with the meteoric rise in virtual goods-based social gaming, one of the biggest and most profitable runaway hits on Facebook's platform. It could also mean that Facebook starts to make some serious money from transaction fees and become a real power player in the e-commerce space.
Still, we don't know for sure. We'll keep you updated as more details become available about F8 2010 over the coming months.
This post was updated at 11:42 a.m. PST with a link to the post on Facebook's developer blog.
If Google's rumored $500m acquisition of Yelp goes through, the search giant may finally get a solid lock on the "hyperlocal" Web. But it'll also be acquiring a big community site--and those are notoriously hard to wrangle.
Restaurant industry blog Eater might have put it best: "One can only assume that with Google's muscle behind the site, the millions of users who log on to complain about restaurants would be able to say stupid stuff faster, and with more efficiency," editor Amanda Kludt wrote on Friday.
All snark aside, it's the same sort of issue that arose a few years ago amid persistent rumors that Google was going to acquire Digg, another site reliant on heavy participation from a loyal and extremely vocal community. The questions are more or less similar: What would Google change, and how much would they change it? Does Google's massive scope make it untrustworthy?
Yelp's official word: "Yelp is approached frequently by numerous entities to discuss partnerships, investments and more, and the company does not comment on private discussions that may occur."
Truth be told, the state of Yelp's forums on Friday indicated that many were more interested in talking about "Why are NYC apartment brokers such d-bags?" and "The official 'Jersey Shore' on MTV thread" than about whether Yelp might get sucked up by the Google monster. But a few threads did emerge, and the gist seems to be pretty much the same: They better not change too much. And please keep throwing parties.
"I wonder how this will effect Elite parties as well as Yelp Talk?" one Yelper asked in a Bay Area-centric thread about the acquisition. Another said, "So long as it's not Rupert Murdoch buying it." Some Yelpers were optimistic, suggesting that maybe there would be better integration with Google maps or additional technical improvements.
But others were concerned about quality control. "It means more trolls and fake reviews," one Yelper griped.
"Anyone ever look at the comments on YouTube videos?" another asked. "That is what is gonna happen here."
There were a few threats of account deletion, like "If this happens, I'm deleting my profile" and "Yelp is big because of us. Let's demand money or delete our accounts en masse." Generally, those aren't any real indicator of community revolt, but they're a reminder that it's extremely possible for a big buyer of a community site to mess things up big-time. LiveJournal users weren't thrilled about its Six Apart ownership, which ultimately failed. Likewise, when News Corp. acquired social network MySpace, mismanagement and a lack of innovation were likely what led to a drop in traffic and the eventual dominance of Facebook.
Worth a read: Yelpers' reviews of Google HQ in Mountain View, Calif. Choice bits range from "Google has lots of yummy, organic snacks and drinks" to "They have way too many skunks after 7 p.m. nightly and raccoons living on the Google campus."
This post was updated at 10:48 a.m. PT with comment from Yelp.
What Twitter's homepage looked like before it went down on Thursday night.
(Credit: CC u07ch/Flickr)Twitter stumbled again overnight on Thursday. But this time, it wasn't the work of the "fail whale," the cuddly cartoon personification of the site's excessive technical baggage. Rather, the site was replaced with a foreboding message from "Iranian Cyber Army" before crashing entirely, indicating that it had been the victim of a malicious attack that targeted its internal servers.
Co-founder Biz Stone posted a brief clarification on the issue late on Thursday night. "Twitter's DNS records were temporarily compromised tonight but have now been fixed," he explained. "As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we've investigated more fully."
At the risk of sounding like an evening-news anchor calling attention to exactly how dangerous your treadmill is or how many diseases you can get from the ball pit at Chuck E. Cheese, I think it's time to explore the question: Is it safe to use Twitter?
For one, Twitter's track record with security has been shaky at best. A security flaw this spring exposed the data of a number of employees and allowed a hacker to pilfer some internal documents. Several high-profile accounts, like those of Britney Spears, Ashton Kutcher, and CNN anchor Rick Sanchez, have been targeted individually. Twitter has been the victim of phishing attacks. Other hackers have proved that Twitter accounts can be set up specifically to corral botnets of infected PCs. And in perhaps the biggest incident of all, a politically motivated denial-of-service attack in August that targeted multiple social-media sites managed to cripple Twitter entirely.
Think of it this way: if Facebook, a far bigger and more mainstream site that's had concerns about user privacy splashed all over the news recently, saw its homepage replaced with a nefarious political message, there would probably be a fresh round of calls for CEO Mark Zuckerberg's resignation. Twitter's heavy users are, for better or for worse, accustomed to sporadic downtime and glitches. They're also less likely to ever visit the Twitter.com homepage, considering the service has so many points of entry--text message, as well as third-party apps for mobile, Web, and desktop. Users have become accustomed to logging into third-party applications with their Twitter credentials.
That, perhaps, makes the overnight hack a bigger concern. Even though it's unlikely that user accounts were compromised in this DNS redirect, it's yet another sign that Twitter's security operations have time and again proven weak enough that the service doesn't exactly seem watertight.
A political message, or just plain obnoxious?
On the other hand, we still don't know much about this attack and it may have been less sophisticated than some may fear. One, nobody's exactly sure yet who the hackers were. "Of course, just because a message saying 'This site has been hacked by Iranian Cyber Army' has been posted on a Web page does not necessarily mean that hackers from Iran are responsible for the defacement," Sophos security consultant Graham Cluley wrote on his blog Friday.
Additionally, Cluley said, the aim seems to have been to either get a political message through or to simply be obnoxious. "Fortunately there is no indication at this point that the page was carrying malicious code, and this attack appears to have had political motivations rather than being designed to steal confidential information from users," he wrote.
"It really looks like it was people were redirected to a 'hactivism' site," weighed in fellow Sophos analyst Beth Jones via e-mail. "There was no malicious code on the site claiming to be the 'Iranian Cyber Army' either. It looks like they just hacked the registrar to redirect traffic. So it's quite probable that none of Twitter's own servers were touched."
Another reassurance is the fact that Twitter simply doesn't have the kind of sensitive data that a Facebook or Google does. While it does have millions of mobile phone numbers stored to power its text-message app, not to mention archived private "direct messages" between users, Twitter does not index a whole lot more that isn't otherwise public. Facebook, for example, has many members' credit card numbers on hand (if they've ever used its "gift shop" feature), not to mention extensive personal data in profiles like addresses, birthdays, and family connections. Members who are still concerned about the security of their Twitter accounts can take the obvious step of changing their Twitter passwords to something that they don't use on their e-mail, Facebook accounts, or elsewhere--just in case.
Beth Jones says she has confidence in Twitter. "I wouldn't say their security is second-rate by any means," Jones said via e-mail. "As it stands, they weren't actually compromised, but I can see from a user point of view the questions and concerns. At Sophos we see a new site compromised every 3.6 seconds. That's easily close to 24,000 sites a day, and of those, the vast majority are legitimate sites that get hacked."
That doesn't mean that Twitter shouldn't start making it more clear that it takes security seriously. If the company, which is now beta-testing a "Contributors" feature that may pave the way to paid corporate accounts, begins storing financial information, we can only hope that their security operations are turned up a few notches. Or, ideally, an order of magnitude.
This post was expanded at 6:23 a.m. PT with comment from Sophos' Beth Jones.
