Last Friday, Twitter’s Bob Lord, Director of Information Security released a blogpost stating that they had detected ‘unusual access patterns that led us to identifying unauthorized access attempts to Twitter user data’.
They were able to shut down the attack that they found, but believe that the attackers may have been able to access user information for around 250 thousand people. The information potentially accessed includes usernames, email addresses, session tokens, and encrypted passwords. Twitter also salts their passwords, which involves adding arbitrary characters within password strings.
This blogpost comes the day after the New York Times reported having employee usernames and passwords stolen, and on the same day as both the Wall Street Journal, and the Washington Post. Bob Lord explains that these were professionals, and likens them to these other attacks.
In response to this, Twitter changed the passwords for all affected accounts, and emailed everyone to let them know of the changes made:
‘As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts. If your account was one of them, you will have recently received (or will shortly) an email from us at the address associated with your Twitter account notifying you that you will need to create a new password. Your old password will not work when you try to log in to Twitter.’
They also went on in the post to give some general password tips, and to tell users that they support the U.S. Department of Homeland Security when they advise users to disable Java in their browsers. It will be interesting to see if this attack on Twitter leads them to consider additional safety measures, like the option of two-factor identification to their accounts, to keep user information even more secure.
Information on Technical Security tools
PCI & HIPAA Data Breaches of 2012: Lessons Learned