Twitter Hacked; 250,000 User Accounts Potentially Compromised

Last Updated 7:53 p.m. PT

Twitter disclosed on Friday evening that its systems had been attacked in the past week by an unidentified group of hackers. As a result of the the attack, the hackers may have had access to the usernames, email addresses and other sensitive information of nearly a quarter of a million twitter users.

“This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later,” the company said in a blog post. “However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.”

On Friday evening, Twitter sent out emails to those users whose accounts may have been compromised, notifying them that the company had automatically reset their user passwords, and that they would need to create a new password in order to access the service again.

The hack comes on the heels of a week of major, nationally publicized security issues with a number of major publications, including The New York Times and The Wall Street Journal (which, disclosure, is owned by News Corp., ATD’s parent company). In their stories on the hacks, both publications made allegations that the attacks stemmed from their investigative reporting efforts covering Chinese officials, and that the Chinese government may be involved in some capacity.

The week also saw prolonged service outages from Amazon, Bank of America and other major institutions that touch the daily lives of hundreds of millions of people globally.

Sources close to Amazon, however, told AllThingsD that the outage was related to internal issues. And on Friday, a source familiar with the matter told AllThingsD that Bank of America’s prolonged outage was again not related to the recent attacks on the New York Times, the Wall Street Journal or Twitter.

In Director of Security Bob Lord’s company blog post, Twitter makes no indication as to who was responsible for Twitter’s security breach, nor does Lord connect the hack directly to any of the incidents affecting major Web companies this week.

“The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked,” Lord wrote in his post.

As of Friday evening, Twitter has not disclosed, nor does it seem to know, who the group of hackers are.

Whether or not the attacks on the two media companies and Twitter are related, there is a major difference in the incidences: The disparate levels of in-house security each company has. The New York Times reported that the Symantec software it had installed on its systems had only detected one of the 45 major security intrusions over the last few months. And both the Times and the Journal went with third-party security consultants to assess the extent of their system breaches.

Twitter, however, employs a world-class in-house team of security researchers, well versed in their ability to detect system vulnerabilities.

And Twitter has made no bones about carting out some of their highest profile hires in the operational security (OpSec) sector: Moxie Marlinspike (who recently left the company), Bob Lord and Charlie White, all of whom head up the company’s security efforts, are highly respected in the security community. And in January of 2012, Twitter acquired Dasient, a security firm focused on malware.

Jim Prosser, a Twitter spokesman, did not answer questions related to how the attack occurred, nor why only a set of 250,000 users were affected in the attack.

“We’re limited on the amount of information we can share at this time, given the nature of the attack and its potential scope in the general Internet community,” Prosser said.

Though the company won’t go into details on how the attack occurred, some elements of Twitter’s blog post could shed some light on the nature of the attack. For one, Twitter recommends that users disable Java plug-ins inside their browsers, as the technology has been labeled highly vulnerable to malicious software attacks, including by the U.S. Department of Homeland Security.

Second, and perhaps more interesting; Twitter’s blog post, again, was penned by Bob Lord, director of Information Security. That suggests that whatever vulnerability led to Twitter’s being hacked, it could have happened from theft or access to sensitive information which led to system access, rather than on the Twitter application, or AppSec, side.

Ashkan Soltani, an independent security researcher, speculated that because Twitter was able to identify the users whose accounts may have been compromised, the scope of the breach may be somewhat limited.

“It depends on how deep the attack went,” Soltani told AllThingsD in an interview. “My gut feeling is that because they’ve identified the affected and contacted them, it would be something on an edge server. It depends on how Twitter has set up its infrastructure.”

Reports coming in on Twitter and the message board Hacker News are claiming that many of the affected accounts are early adopters of Twitter, those having signed up in Twitter’s early days. It is not clear whether the accounts affected are strictly those who signed up for Twitter early on.

Whatever the case, in its company blog post, Twitter took the occasion to urge its users to employ better security “hygiene,” remembering to use long, complicated passwords when registering their accounts.