Twitter succumbs to "extremely sophisticated" attack

Share this article:

Joining a parade of recognizable names that have fallen victim to hackers, Twitter announced late Friday that it was hit by an advanced attack that may have netted the culprits access to the credentials of a quarter-million users.

According to a blog post from Bob Lord, Twitter's director of information security, the saboteurs may have reached the usernames, passwords, email addresses, and session tokens, which identifies communication between a client and a server, for 250,000 people. As a result of the breach, which Twitter first observed last week, the company has reset victims' passwords and canceled their session tokens.

"This attack was not the work of amateurs, and we do not believe it was an isolated incident," Lord wrote. "The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked."

Twitter blended in with a sea of breach announcements last week, most notably from three major newspapers – The New York Times, The Washington Post and The Wall Street Journal – all of whom disclosed that their systems were compromised by cunning adversaries.

In the blog post, Lord advised users to use strong passwords and avoid using the same one for other accounts online.

Twitter said its passwords were "salted," a method which randomly appends a string of characters in each password, thus adding an extra layer of security and making the data more difficult for attackers to decrypt. It's not impossible to crack them, however. That could be why, according to a job listing pointed out by The Guardian, Twitter appears to be considering adding multifactor authentication functionality, a feature that already has been introduced by some major players on the web, including Gmail, Facebook and Yahoo.

It's not clear what the motives of the attackers were, unlike in the case of The Times or Journal, which said they were hit by Chinese spies wanting to eavesdrop on communication between journalists and sources. The incident harkened back to last spring, when a string of high-profile companies sustained user password breaches last spring, including LinkedIn, Yahoo and Formspring.

Twitter did hint at the cause of the breach, when it suggested users disable Java in their browser. Java is software that has been riddled with vulnerabilities over the last few years, giving rise to multiple, widespread exploits.

Share this article:

Sign up to our newsletters

More in News

POS malware risks millions of payment cards for Michaels, Aaron Brothers shoppers

POS malware risks millions of payment cards for ...

An investigation dating back to January has finally confirmed that malware on point-of-sale systems may have compromised payment card data for millions of Michaels Stores and Aaron Brothers customers.

Phishing scam targets Michigan public schools

Unknown attackers used the finance director's email account to request wire transfers from the school district's accounting department.

Contempt order against Lavabit still stands, appeals court rules

Contempt order against Lavabit still stands, appeals court ...

A federal appeals court backed an earlier ruling penalizing the email service.