Feeds

Twitter breach leaks emails, passwords of 250,000 users

Links to media site attacks suspected

Reducing security risks from open source software

If you find that your Twitter password doesn't work the next time you try to login, you won't be alone. The service was busy resetting passwords and revoking cookies on Friday, following an online attack that may have leaked the account data of approximately 250,000 users.

"This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data," Bob Lord, Twitter's director of information security, writes in a blog post.

According to Lord, Twitter was able to shut down the attack within moments of discovering it, but not before the attackers were able to make off with what he calls "limited user information," including usernames, email addresses, session tokens, and the encrypted and salted versions of passwords.

The encryption on such passwords is generally difficult to crack – but it's not impossible, particularly if the attacker is familiar with the algorithm used to encrypt them.

As a precaution, Lord says Twitter has reset the passwords of all 250,000 affected accounts – which, he observes, is just "a small percentage" of the more than 140 million Twitter users worldwide.

If yours is one of the accounts involved, you'll need to enter a new password the next time you login. Lord reminds all Twitter users to choose strong passwords – he recommends 10 or more characters, with a mix of letters, numbers, and symbols – because simpler passwords are easier to guess using brute-force methods. In addition, he recommends against using the same password on multiple sites.

Lord says Twitter's investigation is ongoing, and that it's taking the matter extremely seriously, particularly in light of recent attacks experienced by The New York Times and The Wall Street Journal:

This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users. 

Although the attack took place this week, it seems to have no relationship to the outage that took Twitter offline for several hours on Thursday. On the other hand, however, Lord's post does make rather cryptic mention of the US Department of Homeland Security's recent recommendation that users disable the Java plug-in in their browsers. He mentions Java twice, in fact.

While it's true that the Java plug-in contains multiple known vulnerabilities and that numerous security experts have warned that it should be considered unsafe, the connection between Java and the attack Twitter experienced isn't clear – and Twitter reps didn't respond to El Reg's request for clarification. ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.