The folks at Twitter, Inc. are learning this the hard way:
The reason why 300+ confidential documents were stolen from Twitter’s Google Apps account was actually because of Google’s totally insecure login process.
Don’t believe me? Just try login at docs.twitter.com as… say “ev” like in Evan Williams, Twitter’s co-founder (”biz” would be another alternative). Of course, unless you really know the password or use some sort of an automated password tool, you won’t get in.
So Google is secure, right?
Wrong! For Sophos security analyst Chet Wisniewski, the problem is actually as simple as the vulnerability is huge: Google will not throw you out after, let’s say 25 attempts guessing Ev’s password.
Actually, Google doesn’t even seem to impose any limits on fraudulous attempts – I couldn’t get this confirmed by Google who will not talk openly about its security process.
Worse, because of Google’s lack of security, Twitter’s co-founder wouldn’t even know that someone has tried to breach into his account. “Even my Linux machine will warn me when my wife tries unsuccessfully to login,” jokes Wisniewski.
The whole thing is worth a read. It's also got screenshots, incidentally, which illustrate the perils of relying on Google Apps. Not only might Google harvest your data for its own purposes, but it won't be properly protected from hacking attempts.