Twitter has become the latest hacking victim, with the micro-blogging service revealing late on Friday that hackers had gained access to sensitive user data for around a quarter of a million of its users.
“This week, we detected unusual access patterns that led to us identifying unauthorised access attempts to Twitter user data,” explained Bob Lord, director of Information Security at Twitter.
“Our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users."
Twitter has reset the passwords for anyone whose account was compromised, and has been sending out emails notifying these users that they will need to change their passwords to access their accounts.
Lord used the situation to remind users of the need for good security practice in general.
“Make sure you use a strong password – at least 10 (but more is better) characters and a mixture of upper- and lowercase letters, numbers, and symbols – that you are not using for any other accounts or sites,” he suggested.
“Using the same password for multiple online accounts significantly increases your odds of being compromised.”
He also encouraged users to disable Java on their browsers, though whether this was the cause of the breach is unclear. Lord noted that both Apple and Mozilla have turned off Java by default in their browsers.
Lord added that the attack was carried out by an “extremely sophisticated” hacker or hackers, and implied that it was part of the same team who has recently attacked large US media outlets.
The New York Times on Wednesday revealed it had been under attack from Chinese hackers, while on Thursday the Wall Street Journal said its systems had also been breached by Chinese hackers, allegedly to monitor coverage.
One point to note is that Twitter started its ‘Keeping our users secure’ post with an overview of other recent high-profile attacks, rather than delving straight into the details of the attack on its own systems, as if to downplay the breach on its systems.