News

Twitter resets a quarter of a million accounts after hacker attack

Warwick Ashford

Twitter has reset the passwords of 250,000 accounts after detecting and shutting down a hacker attack last week.

Twitter's information security director Bob Lord said investigations revealed that the attackers may have had access to usernames, email addresses, session tokens and encrypted/salted versions of passwords.

“As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts,” he wrote in a blog post.

Twitter has notified all affected account holders by email that they need to create a new password.

The attack affected only around 0.13% of Twitter’s users, but the microblogging service has called on all users to make sure they are using strong passwords.

Twitter recommends passwords that are at least 10 characters and a mixture of upper- and lower-case letters, numbers, and symbols. It also warns against using one password for multiple online accounts.

In the light of recent exploits of Java vulnerabilities, Bob Lord echoed the advisory from the US Department of Homeland Security to encourage users to disable Java in their browsers.

“This attack was not the work of amateurs, and we do not believe it was an isolated incident… For that reason we felt that it was important to publicise this attack while we still gather information,” he wrote.

Twitter is working with government and other law enforcement officers to find and prosecute these attackers, he concluded.

Graham Cluley, senior technology consultant at security firm Sophos, has warned that attackers may use stolen email addresses to send messages that appear to be from Twitter.

These messages may be designed to trick recipients into disclosing more personal information or clicking on malicious links, he wrote in a blog post.

Using the stolen session token attackers could, in theory, hijack accounts, at least until the user or the hacker next logs off.

Attackers could also attempt to crack the passwords, by setting computers and large dictionaries of commonly used passwords against the problem.

If some of the passwords are cracked, the hackers could then attempt to see if the same passwords will also unlock victims' other accounts, such as their email, said Cluley.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy