Twitter makes sure that they throw in the obligatory “this ain’t about Google Apps” disclaimer when actually it pretty much is.
This attack had nothing to do with any vulnerability in Google Apps which we continue to use.
If Twitter were using something other than a public cloud for their documents and messaging, well it would have been a hell of a lot more difficult for someone to login with a password retrieved via the recovery feature in Gmail.
I’ll still use Gmail and hope I never have to use Exchange again but let’s not pretend that the ease by which the Twitter document heist was accomplished had nothing to do with the vulnerability of a publicly accessible hosted services. Better passwords, routinely changing them, and not making forgotten password questions easy to defeat would all help… but then again Exchange administrators can force those things on users rather than relying on users to be self-regulating.