Twitter is one of the most widely used social networking services in the world, making it an attractive target for malicious hackers.
Late Friday Twitter revealed that it had stopped a sophisticated attack against its users -- but not before approximately 250,000 user accounts were compromised.
Potentially compromised Twitter users received emails late Friday advising them that, as a precautionary security measure, Twitter had reset their user passwords.
"We recently detected an attack on our systems in which the attackers may have had access to limited user information - specifically, your username, email address and an encrypted/salted version of your password (not the actual letters and numbers in your password)," Twitter stated in emails to compromised users.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Twitter's Director of Information Security, Bob Lord wrote in a blog post that the attack was not an isolated incident and not the work of amateurs.
"The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked," Lord wrote. "For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users."
Lord noted that both the Wall St. Journal and New York Times have been breached in recent weeks. He also suggested that users disable Java in their browsers. Lord's post was published before Oracle updated Java for 50 flaws, also on late Friday. Lord did not provide any evidence that the attack against Twitter was directly related to flaws in Java or the attacks against the Wall St. Journal and New York Times. Twitter did not respond to a request for comment from eSecurity Planet by press time.
The Twitter password breach is not the first time Twitter users have been at risk from password disclosures. In 2009 multiple Twitter users were victimized by a phishing attack that claimed the account President Barack Obama.
Twitter and other social networking sites have improved security since then, including the use of encrypted salted passwords. LinkedIn was breached in 2012, due in part to the fact that the site did not use salted passwords. Salted passwords increase the complexity of passwords beyond what is possible with a SHA-1 hash.
Qualys CTO Wolfgang Kandek told eSecurity Planet that he was not surprised by the way Twitter handled it. "I think the disclosure fits with Twitter's culture of transparency and fairness to their users," he said.
Twitter has advised users to reset their passwords to be more complex, using at least 10 characters in a mix of numbers, symbols and upper and lower case letters. Simply improving password complexity, however, isn't enough.
Kevin Liston, SANS Internet Storm Center Handler, advises user should also log out of all the apps they currently use that are connected to Twitter.
"From within the web interface of Twitter, click on the Settings/gear icon and click on settings," Liston wrote "Click on Apps and it will show you what apps are authenticated and you can revoke access. See any there you don't recognize?"
As a best practice Liston recommends users log out of services like Twitter when they are not being used.
Twitter's weak link is its requirement for users to log into the service via a user/password combination. Unlike Google's Gmail, which now provides two-factor authentication options, Twitter does not. With two-factor authentication, users need a username/password as well as a second randomly generated password token in order to gain access.
"Users that feel strongly about the privacy and security of their accounts will not mind the additional step to gain greater security," Qualys' Kandek said. "I use two-factor authentication every day on my Gmail accounts, and I find it to be well worth the added tim, that I spend every morning when I login and have to consult my phone for the token numbers."