Twitter is sending out emails to 250,000 users it says may have had their accounts compromised in the last week as the site experienced “unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data.” Twitter tells us that this is “not related” to the widespread, but intermittent, outage the site saw yesterday.
The text of the email is below. In its blog post on the hacking, Twitter recommends that all users make sure they have a secure enough password on their account. In truth, there still seems to be some big unanswered questions. Twitter notes that “attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords”, which can also be interpreted as “may not have had access”, or may not have had access to all of those different elements. The reader who sent in the letter below tells us that he had not seen any unusual activity on the account recently — so any password or other kinds of compromises had not yet translated into actions, for him at least.
One coincidence that appears to be emerging is that many of the people who have been affected were among some of the earliest adopters of Twitter. Our reader signed up in 2007, and we have heard similar reports from others receiving the email.
Twitter says that it believes that other websites may have been compromised.
“This attack was not the work of amateurs, and we do not believe it was an isolated incident,” Bob Lord, director of information security at Twitter, notes in the blog post. “The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.”
Twitter would not comment on whether it had any information on which other companies may have had related attacks — although by coincidence Amazon yesterday also had an outage, although we understands that Amazon has determined that outside groups were not involved. Twitter does, however, refer to the security breaches at both the New York Times and the Wall Street Journal, as well as the recent security issues with Java in browsers, as examples of how hacking is everywhere (and to possibly deflect a little attention from what has just happened on its site).
Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We’ve reset your password to prevent others from accessing your account.
You’ll need to create a new password for your Twitter account. You can select a new password at this link:
As always, you can also request a new password from our password-resend page: https://twitter.com/account/resend_password
Please don’t reuse your old password and be sure to choose a strong password (such as one with a combination of letters, numbers, and symbols).
In general, be sure to:
- Always check that your browser’s address bar is on a https://twitter.com website before entering your password. Phishing sites often look just like Twitter, so check the URL before entering your login information!
- Avoid using websites or services that promise to get you lots of followers. These sites have been known to send spam updates and damage user accounts.
- Review your approved connections on your Applications page at https://twitter.com/settings/applications. If you see any applications that you don’t recognize, click the Revoke Access button.
For more information, visit our help page for hacked or compromised accounts.
According To #Twitter
According to Twitter, it was hacked and 250K accounts were affected, so they received emails from the company to change their password. This is not the first time this has happened, but this time it was a real hack, rather than a blend of real hacks and “false alarm” blast of emails like last time.
Way to start off our weekends, Twitter. Who knows if you’ll even get the email from Twitter about it, I know that I filter all of those things out. You can read all of the details about the hack and the company response here.
I find it really confusing when anything like this happens, because it feels like companies try to diminish the perception of the impact of the situation. Fact of the matter is, its users are seeing sad tweets from their friends about how they got hacked. I even had one person tell me that they felt like they weren’t cool enough because they didn’t get hacked.
Instead, or in addition to, just go change your password. We’re all cool enough to get hacked. The number, 250K affected, seems a bit too tidy to me, and I’m not saying that Twitter is lying, I’m just saying that it’s better to be safe than sorry.
Twitter also suggests this course of action, which is way too much for most people’s brains to process on a Friday:
“We also echo the advisory from the U.S. Department of Homeland Security and security experts to encourage users to disable Java on their computers in their browsers.”
Happy Tweeting (Maybe)! While you’re at it, change all of your passwords for everything. It’s a good thing to do once in a while, especially if you use the same one for every single site you log into.[Photo credit: Flickr] [-via TechCrunch]