This afternoon, I got an e-mail from Twitter saying it had reason to believe my account had been compromised and was therefore making me change my password. After I verified that the e-mail was indeed from Twitter — rather than a phisher trying to steal my info — I did as it instructed. And then, when I was back on the service, I saw other people saying that they’d received the same e-mail I had. Lots of them.
Turns out that there are a quarter-million of us. Twitter’s director of information security, Bob Lord, blogged the news:
As you may have read, there’s been a recent uptick in large-scale security attacks aimed at U.S. technology and media companies. Within the last two weeks, the New York Times and Wall Street Journal have chronicled breaches of their systems, and Apple and Mozilla have turned off Java by default in their browsers.
This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.
Lord says the hack was serious stuff:
This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.
It’s not clear whether Lord is hinting that he thinks there’s some connection between the Twitter breach and the ones at the New York Times and Wall Street Journal, which seem to have originated in China and to relate to those publications’ coverage of that country. Nor is it obvious why he brings up Java, which shouldn’t have any association with assaults on Twitter’s servers.
(It is, however, always a sensible time to disable Java, a once-important technology that isn’t much more than a vestigial security risk for most computer users — here’s Slate’s Will Oremus on how to do it.)
Even if you didn’t receive Twitter’s e-mail and have no reason to believe your account was hacked, changing your password — on Twitter and everywhere else — won’t hurt your security and might help. A utility like 1Password can help you create individual, harder-to-crack passwords for all your accounts.
One way or another, I hope we learn more about the circumstances of the Twitter attack. It’s creepy to think that someone may have broken into your account — but it’s even creepier not to know who did it, or why.