A targeted and professional hack was perpetrated against Twitter and its users last week with many users’ details compromised and potentially stolen, the company admitted on its blog late on Friday.
Twitter reports that a quarter of a million of its users’ accounts were victims in the attack, with the hackers gaining access to usernames, email addresses, and session tokens. The company says that the hackers also got access to users’ passwords but these were encrypted, not in plain text, or were salted.
“Our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords”
Twitter said that the hack was not an “isolated incident” and was not the work of amateurs and that it believes that other companies have been subject to the same type of illegal access.
“This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. ”
Citing the New York Times’ and the Wall Street Journal’s recent attacks Twitter says this hack is part of an increasing number of professional-level attacks against US technology and media companies, although Twitter did say who it suspects was responsible.
It’s not clear if this hack was the reason for the downtime the site suffered on Thursday last week.
While this is a serious attack only a small percentage of users need to be worried. Twitter’s latest data reports that the company has 200 million monthly active users (with a greater number of inactive users). Even if the hackers only targeted such monthly active users the total percentage of hacked accounts would come to 0.125% of active users.
The company has reset victims’ passwords and sent emails alerting them that their accounts were potentially compromised. Twitter is also asking all users to reset their passwords and follow proper “password hygiene.”
The company recommends that users;
- Create passwords that are at least 10 characters in length.
- Use a combination of upper and lower case, numbers, special characters (punctuation marks).
- Disable Java (not JavaScript) in browsers.
- Never reuse the same password on multiple sites or multiple accounts.
- Avoid using common passwords (e.g. 123456, password).
Twitter users who want to change their passwords can do so here.
Twitter says it is still gathering information about the hack and is working with US law enforcement agencies.
