Twitter was forced to reset the passwords of 250,000 of its users after it discovered that hackers breached the social network’s security.
Twitter disclosed on Feb. 1 that it had detected unusual access patterns that ultimately led to the identification of unauthorized attempts to access user data. This led to the discovery of a live attack that the company was able to shut down moments later.
But Twitter’s investigation into the incident made the company believe the attackers may have had limited access to user information, including usernames, email addresses, session tokens and encrypted/salted versions of passwords for 250,000 users.
As a precautionary measure, Twitter sent an email to the owners of the affected accounts and then reset their passwords and revoked their session tokens.
“A crook who steals your salted-and-hashed password can make educated, offline guesses at your password by trying out popular passwords (at great speed on modern password cracking kit), but if you have chosen a decent password, will probably get nowhere,” blogged Paul Ducklin, head of technology for Asia-Pacific at Sophos. “On the other hand, a crook who steals your session token can, in theory, take over your account, at least until he or you next log off.”
“By revoking your token unilaterally, Twitter will cause only minor annoyance to you (you will have to type in your password again) but create a major headache for any session hijacker (who will, if you have chosen well, be unable to enter your password to get back in),” he added.
According to a blog post by Bob Lord, Twitter’s director of information security, only a small percentage of users were potentially affected by the attack. Still, users are encouraged to use this as an opportunity to follow good password hygiene on the Web.
“Make sure you use a strong password—at least 10 (but more is better) characters and a mixture of upper- and lowercase letters, numbers and symbols – that you are not using for any other accounts or sites,” Lord blogged. “Using the same password for multiple online accounts significantly increases your odds of being compromised.”
With its announcements, Twitter added its name to a list of high-profile companies in the news late last week for being targeted in attacks. That list included The New York Times, The Wall Street Journal and The Washington Post. According to reports, many are placing the blame for the hacks on the newspapers on Chinese espionage. While Lord referenced the attacks against the papers in his blog post, he did not specifically link the Twitter attack to Chinese hackers.
“This attack was not the work of amateurs and we do not believe it was an isolated incident,” Lord blogged. “The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.”
Twitter has been hit by serious cyber-attacks in the past. Hackers accessed at least 45 accounts between January and May of 2009, which prompted a Federal Trade Commission investigation that resulted in a settlement in which the company agreed to implement more rigorous security measures.