Twitter has reset passwords and revoked session tokens for the approximately 250 000 users thought to have been compromised by the latest security breach.
“This week, we detected unusual access patterns that led to us identifying unauthorised access attempts to Twitter user data,” Twitter’s director of information security Bob Lord wrote in his blog on Friday.
“We discovered one live attack and were able to shut it down in process moments later.
“However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, e-mail addresses, session tokens, and encrypted/salted versions of passwords – for approximately 250 000 users.

“As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts.”

Affected users will receive an e-mail from Twitter, notifying them that they will need to create a new password, and their old passwords will no longer work.

Lord adds that uses should heed advice from the US Department of Homeland Security and security experts to disable Java in their browsers.

“This attack was not the work of amateurs, and we do not believe it was an isolated incident,” he writes.
“The attackers were extremely sophisticated, and we believe other companies and organisations have also been recently similarly attacked.

“For that reason we felt that it was important to publicise this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.”

Lord also offers some advice on passwords for Twitter users.

“Though only a very small percentage of our users were potentially affected by this attack, we encourage all users to take this opportunity to ensure that they are following good password hygiene, on Twitter and elsewhere on the Internet,” Lord adds.

“Make sure you use a strong password – at least 10 (but more is better) characters and a mixture of upper- and lowercase letters, numbers and symbols – that you are not using for any other accounts or sites.

“Using the same password for multiple online accounts significantly increases your odds of being compromised.”