Twitter succumbs to "extremely sophisticated" attack

Share this article:

Joining a parade of recognizable names that have fallen victim to hackers, Twitter announced late Friday that it was hit by an advanced attack that may have netted the culprits access to the credentials of a quarter-million users.

According to a blog post from Bob Lord, Twitter's director of information security, the saboteurs may have reached the usernames, passwords, email addresses, and session tokens, which identifies communication between a client and a server, for 250,000 people. As a result of the breach, which Twitter first observed last week, the company has reset victims' passwords and canceled their session tokens.

"This attack was not the work of amateurs, and we do not believe it was an isolated incident," Lord wrote. "The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked."

Twitter blended in with a sea of breach announcements last week, most notably from three major newspapers – The New York Times, The Washington Post and The Wall Street Journal – all of whom disclosed that their systems were compromised by cunning adversaries.

In the blog post, Lord advised users to use strong passwords and avoid using the same one for other accounts online.

Twitter said its passwords were "salted," a method which randomly appends a string of characters in each password, thus adding an extra layer of security and making the data more difficult for attackers to decrypt. It's not impossible to crack them, however. That could be why, according to a job listing pointed out by The Guardian, Twitter appears to be considering adding multifactor authentication functionality, a feature that already has been introduced by some major players on the web, including Gmail, Facebook and Yahoo.

It's not clear what the motives of the attackers were, unlike in the case of The Times or Journal, which said they were hit by Chinese spies wanting to eavesdrop on communication between journalists and sources. The incident harkened back to last spring, when a string of high-profile companies sustained user password breaches last spring, including LinkedIn, Yahoo and Formspring.

Twitter did hint at the cause of the breach, when it suggested users disable Java in their browser. Java is software that has been riddled with vulnerabilities over the last few years, giving rise to multiple, widespread exploits.

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.