Technologizer

Twitter Hacked: 250,000 Accounts at Risk

Who broke into as many as a quarter-million Twitter accounts, and why?

  • Share
  • Read Later

This afternoon, I got an e-mail from Twitter saying it had reason to believe my account had been compromised and was therefore making me change my password. After I verified that the e-mail was indeed from Twitter — rather than a phisher trying to steal my info — I did as it instructed. And then, when I was back on the service, I saw other people saying that they’d received the same e-mail I had. Lots of them.

Turns out that there are a quarter-million of us. Twitter’s director of information security, Bob Lord, blogged the news:

As you may have read, there’s been a recent uptick in large-scale security attacks aimed at U.S. technology and media companies. Within the last two weeks, the New York Times and Wall Street Journal have chronicled breaches of their systems, and Apple and Mozilla have turned off Java by default in their browsers.

This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.

Lord says the hack was serious stuff:

This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.

It’s not clear whether Lord is hinting that he thinks there’s some connection between the Twitter breach and the ones at the New York Times and Wall Street Journal, which seem to have originated in China and to relate to those publications’ coverage of that country. Nor is it obvious why he brings up Java, which shouldn’t have any association with assaults on Twitter’s servers.

(It is, however, always a sensible time to disable Java, a once-important technology that isn’t much more than a vestigial security risk for most computer users — here’s Slate’s Will Oremus on how to do it.)

Even if you didn’t receive Twitter’s e-mail and have no reason to believe your account was hacked, changing your password — on Twitter and everywhere else — won’t hurt your security and might help. A utility like 1Password can help you create individual, harder-to-crack passwords for all your accounts.

One way or another, I hope we learn more about the circumstances of the Twitter attack. It’s creepy to think that someone may have broken into your account — but it’s even creepier not to know who did it, or why.

9 comments
SamRyder
SamRyder

Its really hard to believe how they do this last month I got an message from our Web hosting provider http://www.Webhost.UK.net that if you are using WHMCS billing system please change your password as there WHMCS whole server was hacked just by hacking the owners Twitter ID.

WHMCS is huge company with more than 500K customers and Twitter has become  a part of our life I really dont understand how this happens.. I hope I am safe :(

mobilecasedirect
mobilecasedirect

Why hack Twitter? Most users use the same username (email) and password (ilovemycat) for all of their accounts. You guessed it. Many people use the same password for their banking and investment accounts.

I learned this painful lesson on my LinkedIn & Paypal. Thank god they only were able to get $100 in small $20 dollar increments until I noticed it. PayPal refunded the charges but I am sure many of these thefts went unnoticed across millions of accounts for some very big money.

Keep unique passwords for every online account & change them a few times per year.

mrbomb13
mrbomb13

First, it's terrible that 250K users had their Twitter accounts hacked.

However, I would like to use this instance of Twitter hacking to expose the hypocrisy of some people.  

When Twitter was hacked, people rightly demanded that the hackers be brought to justics.  Yet, when Aaron Swartz hacked in the exact same manner, everyone was crying for others to show him sympathy.  Honestly, what he did was not admirable, and was in fact just as criminal as these Twitter hackers.

JLaw1
JLaw1

@mrbomb13 Swartz "hacked" content, content that was paid for with public funding. Twitter accounts are hacked for user information. Failure to comprehend the difference should result in your voluntary forfeiture of all things tech.

mrbomb13
mrbomb13

@JLaw1 @mrbomb13 

I recognized that the content Swartz hacked was payed for with public funding.  

However, the source of that funding is our tax dollars.  If we extended your logic even just a little, would that give Swartz (and all of us) the right to hack into government databases?  After all, the source of funding for those databases - you guessed it - was us.

Furthermore, do you really believe it's fair and just to deprive those database companies of customer revenues?  Every time someone downloaded a copy of those hacked files, those companies made 10-15 cents in revenue.  A decline in revenues affects the companies' bottom line profit.  Adverse effects on profit directly affects a business' ability to conduct expansionary activities (i.e. hiring, purchasing Property/Plant/Equipment, etc.).

YashVardhan
YashVardhan

huh.. Twitter will fix it anyhow.. Don't worry people..