This is the story of how, in 2004, Mark Zuckerberg hacked into the email accounts of two Harvard Crimson reporters using data obtained from TheFacebook.com’s logs. The details are drawn from a broader investigation of the origins of Facebook, the sourcing of which is described here.
But back in May 2004, he was a 19-year-old finishing up his sophomore year at Harvard.
He was also the acclaimed founder and creator of an increasingly popular Web site called TheFacebook.com, which had launched in February 2004.
As we’ve reported in detail in a separate story, the launch of TheFacebook.com was not without controversy. Just six days after the site launched, three Harvard seniors, Cameron Winklevoss, Tyler Winklevoss, and Divya Narendra, accused Mark of intentionally misleading them into believing he would help them build a social network called HarvardConnection.com, while he was instead using their ideas to build a competing product.
After Mark launched TheFacebook.com, Cameron, Tyler and Divya hired a series of developers to build HarvardConnection — the site Mark Zuckerberg had told them he would build but did not. By mid-May, the trio had a site ready for launch. By then the site’s name had changed from HarvardConnection to ConnectU.
Sometime during the 14 days leading up to May 28 — the editors at Harvard’s student newspaper, the Crimson, received an email in the their “tips” inbox from Cameron Winklevoss, one of the founders of ConnectU.
This email presented the argument Cameron Winklevoss, Tyler Winklevoss, and Divvya Narenda had already brought to Harvard’s Administration Board and to Mark Zuckerberg — that TheFacebook.com was the product of Mark Zuckerberg’s fraud against the ConnectU team.
Since the Winklevoss brothers were best known at Harvard for being exceptional rowers, the story was assigned to Crimson sports writer Tim McGinn. After a phone call, Tim hosted Tyler, Cameron, and Divya in his office at the Crimson. The four of them went over emails between Cameron and Mark.
After the ConnectU team left, the Crimson invited Mark into its offices to defend himself.
When Mark arrived at the Crimson, he asked Tim and Elisabeth Theodore, an editor helping with the story, to sign a non-disclosure agreement so that he could show them the work he’d done on HarvardConnection. Per Crimson policy, Tim and Elisabeth refused to sign the NDA.
Mark lingered around the office, evidently hoping they would change their mind. Finally, Mark agreed to forgo the NDA.On a Crimson computer, Mark brought up what he described as the work he did on HarvardConnection. He gave Tim and Elisabeth a guided tour of the site. Mark’s goal seemed to have been to show Tim and Elizabeth, the Crimson reporter and editor, that, other than the ways in which social networks are all the same, there were no features or designs in the work he did on HarvardConnection.com that ended up in theFacebook.com.
Mark’s demonstration was successful: After he left, the Crimson decided not to run a story. Tim emailed Tyler, Cameron, and Divya to tell them that the story would not run. He contacted Mark to say the the same thing.
But then, perhaps a day or so later, the Winklevoss brothers reached out to Tim McGinn again, this time to tell him that another Harvard rower — one named John Thomson — had told them that Mark had stolen something for TheFacebook from him, too. They told Tim that John’s claim was that Mark Zuckerberg stole from him the idea for a TheFacebook feature called “visualise Your Buddy.”
With a new accusation at hand, the Crimson decided to re-open its investigation. Tim McGinn called Mark and told him about about John’s claim and gave him a chance to deny it. Mark denied the claim and got very upset — apparently because he felt he had been promised there would be no story.
For the rest of that night and into the next morning, Tim and his editor Elisabeth Theodore attempted to follow-up with John Thomson. After they finally reached him, John told them that he made the whole Mark Zuckerberg anecdote up in order to impress the Winklevoss brothers, who were important members of the rowing team. [As an aside, kudos to the journalism at the Crimson!]
Tim and Elisabeth decided to drop John’s claims from the story. But, this time, they decided to go ahead and publish a story on ConnectU’s claims against Facebook.
Mark Zuckerberg was not content to wait until the morning to find out if the Crimson would include John’s accusations in its story.
Instead, he decided to access the email accounts of Crimson editors and review their emails. How did he do this? Here’s how Mark described his hack to a friend:
Mark used his site, TheFacebook.com, to look up members of the site who identified themselves as members of the Crimson. Then he examined a log of failed logins to see if any of the Crimson members had ever entered an incorrect password into TheFacebook.com. If the cases in which they had entered failed logins, Mark tried to use them to access the Crimson members’ Harvard email accounts. He successfully accessed two of them.
In other words, Mark appears to have used private login data from TheFacebook to hack into the separate email accounts of some TheFacebook users.
In one account he accessed, Mark saw an email from Crimson writer Tim McGinn to Cameron, Tyler, and Divya. Another email Mark read was this one, from Crimson managing editor Elisabeth Theodore to Tim McGinn:
From: Elisabeth Susan Theodore
To: Timothy John McGinn
Subject: Re: Follow-up
OK, he did seem very sleazy. And I thought that some of his answers to the questions were not very direct or open. I also thought that his reactiont o the website was very very weird. But, even if it’s true so what? It’s an [redacted] thing ot od but it’s not illegal, right?
We reached out to Tim McGinn and Elisabeth Theodore for comment. Both declined to comment.
When we reviewed the details of this story with Facebook, the company had this comment:
“We’re not going to debate the disgruntled litigants and anonymous sources who seek to rewrite Facebook’s early history or embarrass Mark Zuckerberg with dated allegations. The unquestioned fact is that since leaving Harvard for Silicon Valley nearly six years ago, Mark has led Facebook’s growth from a college website to a global service playing an important role in the lives of over 400 million people.”
We’re certainly not questioning the latter fact: Facebook’s success has been awe-inspiring. Given the significant concerns about privacy online in general and at Facebook in particular, however, it seems reasonable to ask what the company’s reaction — and Mark’s reaction — is to the reported behaviour above.
In the past, Facebook has told us: “Facebook respects user privacy and access to site usage and profile information is restricted at the company. Any Facebook employees found to be engaged in improper access to user data will be disciplined or terminated.”
It is clear that the events described above would be a direct violation of Facebook’s current policy, which has now been in place for several years. The policy was not in place at the time of the events described above.
A source close to the company suggests that it was the fallout from early privacy violations like this one — fallout that has included reputational damage to Mark Zuckerberg and expensive and prolonged litigation with ConnectU — that has shaped Facebook’s current privacy policies and made Mark the CEO he is today.
Business Insider Emails & Alerts
Site highlights each day to your inbox.