A quarter of a million Twitter users have had their accounts hacked in the latest of a string of high-profile internet security breaches. According to Twitter’s information security director Bob Lord, about 250,000 users’ passwords had been stolen, as well as usernames, emails and other data on Friday.
The micro-blogging site said that it discovered “one live attack and [was] able to shut it down in process moments later.” But it’s likely that the hackers still gained access to things like usernames, email addresses, session tokens and encrypted/salted versions of passwords.
The security breach is one of the biggest to ever affect Twitter, which has 200 million active users, and highlights growing concerns over the danger of so-called cyber attacks.
Twitter said it had warned all the users who had their passwords stolen, and reset them to stop further risk. But security experts warned that the hackers had possession of a potentially valuable cache of information, as many people’s Twitter passwords are identical to those they use for other purposes, including banking.
Mr. Lord said: “We encourage all users to take this opportunity to ensure that they are following good password hygiene, on Twitter and elsewhere on the internet.
“Make sure you use a strong password – at least 10 (but more is better) characters and a mixture of upper- and lowercase letters, numbers, and symbols.”
Twitter said in its blog that the attack “was not the work of amateurs, and we do not believe it was an isolated incident”.
“For that reason we felt that it was important to publicise this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the internet safer for all users.”
Mr Lord did not say who had carried out the attack, but added: “The attackers were extremely sophisticated, and we believe other companies and organisations have also been recently similarly attacked.”
He was referring to the recent to similar attacks directed at the New York Times, Wall Street Journal and Washington Post who reported security breaches this week in a string of attacks by Chinese hackers.
On Thursday the New York Times linked the attack to a story it published alleging relatives of former Premier Wen Jiabao controlled assets worth billions of dollars.
China’s foreign ministry dismissed the New York Times’ accusations as “groundless” and “totally irresponsible”.
The foreign ministry continued “Chinese law forbids hacking and any other actions that damage internet security.”
China has been accused of mounting a widespread, aggressive cyber-spying campaign for several years, trying to steal classified information and corporate secrets and to intimidate critics.
Already, online security experts are warning of phishing scams that could result from this latest attacks where people pretending to be from twitter send unsuspecting users emails filled with malicious links.
So if you are one of the 250,000 people whose accounts have been hacked, this is what you do.
The first thing you will notice is that your username/ password doesn’t work when you try to log into the social networking site.
You will also have been sent an email from Twitter asking you to create a new password.
Follow the instructions in the email to create a new password. Also be sure to follow their advice on passwords.
Their advice in part reads as follows:
“Make sure you use a strong password – at least 10 (but more is better) characters and a mixture of upper- and lower case letters, numbers, and symbols – that you are not using for any other accounts or sites. Using the same password for multiple online accounts significantly increases your odds of being compromised.”
It goes on:
“If you are not using good password hygiene, take a moment now to change your Twitter passwords. For more information about making your Twitter and other internet accounts more secure, read our Help Center documentation or the FTC’s guide on passwords.
“We also echo the advisory from the U.S. Department of Homeland Security and security experts to encourage users to disable Java on their computers in their browsers. For instructions on how to disable Java, read this recent Slate article.”