Joining a parade of recognizable names that have fallen victim to hackers, Twitter announced late Friday that it was hit by an advanced attack that may have netted the culprits access to the credentials of a quarter-million users.
According to a blog post from Bob Lord, Twitter’s director of information security, the saboteurs may have reached the usernames, passwords, email addresses, and session tokens, which identifies communication between a client and a server, for 250,000 people. As a result of the breach, which Twitter first observed last week, the company has reset victims’ passwords and canceled their session tokens.
“This attack was not the work of amateurs, and we do not believe it was an isolated incident,” Lord wrote. “The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.”
Twitter blended in with a sea of breach announcements last week, most notably from three major newspapers – The New York Times, The Washington Post and The Wall Street Journal – all of whom disclosed that their systems were compromised by cunning adversaries.
In the blog post, Lord advised users to use strong passwords and avoid using the same one for other accounts online.
Twitter said its passwords were “salted,” a method which randomly appends a string of characters in each password, thus adding an extra layer of security and making the data more difficult for attackers to decrypt. It’s not impossible to crack them, however. That could be why, according to a job listing pointed out by The Guardian, Twitter appears to be considering adding multifactor authentication functionality, a feature that already has been introduced by some major players on the web, including Gmail, Facebook and Yahoo.
It’s not clear what the motives of the attackers were, unlike in the case of The Times or Journal, which said they were hit by Chinese spies wanting to eavesdrop on communication between journalists and sources. The incident harkened back to last spring, when a string of high-profile companies sustained user password breaches last spring, including LinkedIn, Yahoo and Formspring.
Twitter did hint at the cause of the breach, when it suggested users disable Java in their browser. Java is software that has been riddled with vulnerabilities over the last few years, giving rise to multiple, widespread exploits.