Twitter has positively identified “unauthorized” attempts to access user data, discovering at least one live attack and shutting down the process moments later.
However, a Twitter spokesperson conceded that the unknown attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.
“As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts,” explained Twitter security rep Bob Lord.
“If your account was one of them, you will have recently received (or will shortly) an email from us at the address associated with your Twitter account notifying you that you will need to create a new password. Your old password will not work when you try to log in to Twitter.”
Although Lord emphasized that only a “very small percentage” of users were potentially affected by the security breach, he did urge all users to take a moment to ensure they are following good password hygiene, on Twitter and elsewhere on the Internet.
“Make sure you use a strong password – at least 10 (but more is better) characters and a mixture of upper- and lowercase letters, numbers, and symbols – that you are not using for any other accounts or sites. Using the same password for multiple online accounts significantly increases your odds of being compromised,” he said.
“We also echo the advisory from the U.S. Department of Homeland Security and security experts to encourage users to disable Java on their computers in their browsers.”
While Lord didn’t offer specifics about the attackers, he did note that the digital intrusion was not the work of amateurs, nor an isolated incident.
“The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users,” he added.