On its blog Friday afternoon, Twitter reported that unusual activity patterns led the company to discover that 250,000 accounts were compromised. While the activity was discovered during the middle of an attack and Twitter's information security team was able to shut down the attempt in progress, they believe the attackers were able to access vital information including users names, email addresses, session tokens and encrypted/salted versions of passwords for a quarter of a million accounts.
According to Twitter, passwords for affected accounts have been reset and session tokens that allow you to stay logged in without reentering your password have all been revoked. If your account has been hit, you won't be able to log in and the company will email you on how to reset your password.
So if you were one of the Tweeps that was hit you'll know by now, but what does this hack mean for the rest of us 200 million active monthly users? Until Google creates the smart ring that will do away with passwords, we have to be vigilant. The Twitter blog offers familiar security tips about passwords — using strong ones that use numbers and symbols with a variety of upper and lower case letters. It also recommends not using the same password for multiple accounts, and I would throw in personal tips of not using session tokens allowing social media sites to remember your password, and changing your passwords frequently.
The other security item of note is that Twitter references the recent Department of Homeland Security (DHS) recommendation of disabling Java due to recent reports of its vulnerability. Twitter stopped short of recommending disabling Java, but by referencing the report it leaves the door open for speculation as to where the attack came from.
Are they the same groups that have breached both the New York Times and Wall Street Journal — alleged to be the work of Chinese hackers believed to be interested in monitoring coverage of Chinese politics? The company mentions the recent wave of attacks, but wouldn't assign blame to any particular country or group.
Twitter's Director of Information Security, Bob Lord did have this to say in their blog:
"This attack was not the work of amateurs, and we do not believe it was an isolated incident. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users."
Though the government and individual sites are getting busy looking into how, where and why the breaches are occurring, it doesn't mean those of us attached to our computers and social media platforms can rest easy. On a cold Saturday it may be time to curl up with a blanketand review the passwords and other security measures on your computer — given the amount of accounts and passwords we all have to remember its daunting but definitely a good idea to keep your data as safe as possible.