Twitter engineers shut down what they described as an "extremely sophisticated" hack attack on its network that exposed the cryptographically protected password data and login tokens for 250,000 users.

In a blog post published late Friday afternoon, company officials said affected passwords and tokens have been reset and e-mails are in the process of being sent out to affected users. Twitter said it discovered the breach “earlier this week” and shut it down moments later.

"This attack was not the work of amateurs, and we do not believe it was an isolated incident," Bob Lord, Twitter's director of information security, wrote. "The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked."

Lord also mentioned recent attacks on Oracle's Java software framework for browsers, although he didn't explain what it had to do with the attack on Twitter. He urged users to disable Java on their computers.

Twitter compared the breach in timing to the recent widespread hacks of the New York Times and the Wall Street Journal, in which Chinese hackers gained access to the papers' databases to track down information on journalists and their sources who were helping write stories critical of the family of China's prime minister.

“[W]e detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data,” Twitter's post read. “We discovered one live attack and were able to shut it down in process moments later.” Towards the end of the post, Twitter said it was still gathering information on what happened:

Twitter also expressed a sentiment we've repeated many times here on Ars: keep passwords strong and don't reuse them on other accounts or sites.

Twitter said the hackers that attacked its network may have accessed "encrypted/salted versions of passwords." In the past, the company has said publicly that it uses the bcrypt cryptographic algorithm to hash passwords. That's good news because the algorithm operates slowly and requires large amounts of computing resources, making ii among the hardest for password crackers to defeat. Twitter continues to use bcrypt now, a person familiar with its security regimen told Ars. For more information about the benefits of slow hashes, see the Ars feature Why passwords have never been weaker—and crackers have never been stronger.

Because Twitter has reset user passwords and session tokens, there's reason for optimism that most Twitter accounts will remain safe. But users who used the same password for other online accounts remain at risk. While bcrypt is among the best hashing algorithms available, its use merely slows down the cracking process. Because the breach also exposed Twitter users' e-mail addresses, cracked passwords could be used to compromise accounts on Facebook, LinkedIn, or any number of other sites, if those accounts use the same passcode.

Additional reporting by Megan Geuss