Now would be a good time to refresh your Twitter password. Twitter disclosed on Friday evening that its systems had been attacked in the past week by an unidentified group of hackers. As a result of the the attack, the hackers may have had access to the usernames, email addresses and other sensitive information of nearly a quarter of a million Twitter users.
“This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later,” the company said in a blog post. “However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.”
Twitter’s hack announcement comes in a week crowded with announcements about media companies that have been hacked. On Thursday, the New York Times revealed that hackers, who had been inside its network for at least four months, had succeeded to steal the usernames and passwords of all of its employees in an apparent attempt to identify sources and gather other intelligence about stories related to the family of China’s prime minister.
On Friday evening, Twitter sent out emails to those users whose accounts may have been compromised, notifying them that the company had automatically reset their user passwords, and that they would need to create a new password in order to access the service again. Screenshot of the e-mail being sent to the concerned users:
The email also warns users to “Avoid using websites or services that promise to get you lots of followers. These sites have been known to send spam updates and damage user accounts.” The US Department of Homeland Security has also encouraged users to disable Java in their browsers, following a number of system breaches in recent weeks. Although Bob Lord, Director of Information Security, Twitter who made the blog post did not explain how the attackers got in and accessed the data, but said that he did not believe Twitter was the only company targeted.
“This attack was not the work of amateurs, and we do not believe it was an isolated incident,” he wrote. “The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.”
One expert said that the Twitter hack probably happened after an employee’s home or work computer was compromised through a vulnerability in Java, a commonly-used computing language whose weaknesses have been well publicized. Ashkan Soltani, an independent privacy and security researcher, said such a move would give attackers “a toehold” in Twitter’s internal network, potentially allowing them either to sniff out user information as it traveled across the company’s system or break into specific areas, such as the authentication servers that process users’ passwords.
Twitter is generally used to broadcast messages to the public, so the hacking might not immediately have yielded any important secrets. But the stolen credentials could be used to eavesdrop on private messages or track which Internet address a user is posting from. That might be useful, for example, for an authoritarian regime trying to keep tabs on a journalist’s movements.
“More realistically, someone could use that as an entry point into another service.” Soltani said, noting that since few people bother using different passwords for different services, a password stolen from Twitter might be just as handy for reading a journalist’s emails.
Whatever the case, I’ll admit that I was pretty pleased with the way that Twitter moved swiftly to ensure the safety of their users. As well as dealing with the direct threat, they’ve given some helpful keys to ensuring safety online. Whether you’re using Twitter, Facebook or any other kind of online service, their advice is worth checking out.
Happy Tweeting (Maybe)! While you’re at it, take above mentioned advice. Also,change all of your passwords for everything. It’s a good thing to do once in a while, especially if you use the same one for every single site you log into.