Twitter has reset the passwords of 250,000 accounts after detecting and shutting down a hacker attack last week.
Twitter's information security director Bob Lord said investigations revealed that the attackers may have had access to usernames, email addresses, session tokens and encrypted/salted versions of passwords.
“As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts,” he wrote in a blog post.
Twitter has notified all affected account holders by email that they need to create a new password.
The attack affected only around 0.13% of Twitter’s users, but the microblogging service has called on all users to make sure they are using strong passwords.
Twitter recommends passwords that are at least 10 characters and a mixture of upper- and lower-case letters, numbers, and symbols. It also warns against using one password for multiple online accounts.
Read more about Twitter security
Twitter acquires Dasient in security buying spree, Android platform focus
“This attack was not the work of amateurs, and we do not believe it was an isolated incident… For that reason we felt that it was important to publicise this attack while we still gather information,” he wrote.
Twitter is working with government and other law enforcement officers to find and prosecute these attackers, he concluded.
Graham Cluley, senior technology consultant at security firm Sophos, has warned that attackers may use stolen email addresses to send messages that appear to be from Twitter.
These messages may be designed to trick recipients into disclosing more personal information or clicking on malicious links, he wrote in a blog post.
Using the stolen session token attackers could, in theory, hijack accounts, at least until the user or the hacker next logs off.
Attackers could also attempt to crack the passwords, by setting computers and large dictionaries of commonly used passwords against the problem.
If some of the passwords are cracked, the hackers could then attempt to see if the same passwords will also unlock victims' other accounts, such as their email, said Cluley.