Thousands of Twitter users woke up this morning to discover e-mails from the social media service asking them to change their passwords. Why? Yesterday, Twitter announced that they’d experienced an internal breach that compromised more than 250,000 user accounts before they brought a stop to it. The incident, reported on the Twitter blog on Friday, explained that the breach happened earlier this week Twitter “unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data.”
After shutting down one such attack during the attempt itself, Twitter moved on to discover that the breach extended to over 250,000 accounts whereas indicated that attackers may have had access “to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords.”
As a result, the social media services has reset the passwords of the affected accounts and revoked session tokens. This means that if you were affected, you will not be able to use anything that requires the Twitter API until you authorize it again and you will have to reset your password with Twitter itself in order to regain access to your account once again.
From what we know now, this attack is not related to the recent Twitter outage earlier this week.
Why ask people to disable Java?
In the report, Twitter’s Director of Information Security, Bob Lord, warns users about the recent massive flaws discovered in Oracle’s implementation of Java and includes the recent warnings about the need to disable Java in browsers.
From a close reading of Lord’s report, this was a breach internal to Twitter and not caused by 250,000 users being exploited by a flaw in Java. In fact, Lord mentions that this not an amateur attack at all and the attackers had gained limited access to Twitter-internal information about the users in question.
Still, it’s worthwhile to mention recent cybersecurity issues that directly affect user security. That did include mentioning basic password sanity including “choose a long and complex password,” even if it’s memorable, not based on English words. Looking at previous password dumps from hackers, people are still a bit lax about their password choices.
Not the first massive-scale expert hack to happen in 2013
Twitter has joined the New York Times, The Wall Street Journal, and now the Washington Post in being hacked this week. All of whom have suffered sophisticated hacks over the past months and most appear to be connected to China—all interestingly announced during the same time period. The attackers in every case appeared to be seeking information related to the accounts used by journalists at these sites and all of them extremely expert in their capabilities.
As Lord explains in his post on the Twitter blog,
This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.
Twitter is yet-another-avenue of communication not just for citizens, but journalists as well, passwords and information stored in these accounts could be used to compromise other accounts or may yet be part of a larger, more sinister attempt to gather information.
It’s too early to tell if the Twitter hack is at all related to the newspaper hacks this week, but the coincidence is extremely uncanny.