Twitter succumbs to "extremely sophisticated" attack

Share this article:

Joining a parade of recognizable names that have fallen victim to hackers, Twitter announced late Friday that it was hit by an advanced attack that may have netted the culprits access to the credentials of a quarter-million users.

According to a blog post from Bob Lord, Twitter's director of information security, the saboteurs may have reached the usernames, passwords, email addresses, and session tokens, which identifies communication between a client and a server, for 250,000 people. As a result of the breach, which Twitter first observed last week, the company has reset victims' passwords and canceled their session tokens.

"This attack was not the work of amateurs, and we do not believe it was an isolated incident," Lord wrote. "The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked."

Twitter blended in with a sea of breach announcements last week, most notably from three major newspapers – The New York Times, The Washington Post and The Wall Street Journal – all of whom disclosed that their systems were compromised by cunning adversaries.

In the blog post, Lord advised users to use strong passwords and avoid using the same one for other accounts online.

Twitter said its passwords were "salted," a method which randomly appends a string of characters in each password, thus adding an extra layer of security and making the data more difficult for attackers to decrypt. It's not impossible to crack them, however. That could be why, according to a job listing pointed out by The Guardian, Twitter appears to be considering adding multifactor authentication functionality, a feature that already has been introduced by some major players on the web, including Gmail, Facebook and Yahoo.

It's not clear what the motives of the attackers were, unlike in the case of The Times or Journal, which said they were hit by Chinese spies wanting to eavesdrop on communication between journalists and sources. The incident harkened back to last spring, when a string of high-profile companies sustained user password breaches last spring, including LinkedIn, Yahoo and Formspring.

Twitter did hint at the cause of the breach, when it suggested users disable Java in their browser. Java is software that has been riddled with vulnerabilities over the last few years, giving rise to multiple, widespread exploits.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

NIST finalizes cloud computing roadmap

NIST finalizes cloud computing roadmap

The NIST architecture is designed to accelerate the adoption of cloud computing.

Chinese MitM attack targets iCloud users

Chinese MitM attack targets iCloud users

The attack used a false certificate to trick iCloud users into handing over personal data and login credentials. With an attack of this size, some experts and researchers believe the ...

EPIC: driver data shared via V2V technology needs protection

The groups shared comments on V2V communications with the National Highway Traffic Safety Administration.