February 04, 2013

Twitter succumbs to "extremely sophisticated" attack

Joining a parade of recognizable names that have fallen victim to hackers, Twitter announced late Friday that it was hit by an advanced attack that may have netted the culprits access to the credentials of a quarter-million users.

According to a blog post from Bob Lord, Twitter's director of information security, the saboteurs may have reached the usernames, passwords, email addresses, and session tokens, which identifies communication between a client and a server, for 250,000 people. As a result of the breach, which Twitter first observed last week, the company has reset victims' passwords and canceled their session tokens.

"This attack was not the work of amateurs, and we do not believe it was an isolated incident," Lord wrote. "The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked."

Twitter blended in with a sea of breach announcements last week, most notably from three major newspapers – The New York Times, The Washington Post and The Wall Street Journal – all of whom disclosed that their systems were compromised by cunning adversaries.

In the blog post, Lord advised users to use strong passwords and avoid using the same one for other accounts online.

Twitter said its passwords were "salted," a method which randomly appends a string of characters in each password, thus adding an extra layer of security and making the data more difficult for attackers to decrypt. It's not impossible to crack them, however. That could be why, according to a job listing pointed out by The Guardian, Twitter appears to be considering adding multifactor authentication functionality, a feature that already has been introduced by some major players on the web, including Gmail, Facebook and Yahoo.

It's not clear what the motives of the attackers were, unlike in the case of The Times or Journal, which said they were hit by Chinese spies wanting to eavesdrop on communication between journalists and sources. The incident harkened back to last spring, when a string of high-profile companies sustained user password breaches last spring, including LinkedIn, Yahoo and Formspring.

Twitter did hint at the cause of the breach, when it suggested users disable Java in their browser. Java is software that has been riddled with vulnerabilities over the last few years, giving rise to multiple, widespread exploits.

Related Articles
Related Topics
Related Links

Sign up to our newsletters

More in News

Oracle releases Java update to close 37 high-risk vulnerabilities

Updates for the software platform will now arrive on a quarterly basis, beginning in October.

Flaw in BlackBerry Protect app addressed, impacts Z10 smartphone users

To exploit the vulnerability, an intruder would need a user's device password and a bit of skill to access troves of data on the phone.

Tor to blame for its users being unable to access Facebook

Malicious activity on the anonymity software's network tripped Facebook's "site integrity systems."