Following last week’s hack, Twitter appears to be planning to make logins more secure by introducing two-factor authentication.
Evidence comes on the form of a job ad, spotted by the Guardian, for a software engineer who would ‘design and develop user-facing security features, such as multifactor authentication and fraudulent login detection’.
The company’s looking for ‘multiple’ people for the role, it says.
On Friday, Twitter revealed that around 250,000 users were hit by the breach, which revealed usernames, email addresses, session tokens and encrypted/salted versions of passwords. It reset passwords for those affected.
Two-factor authentication blocks access from a new device or internet address, even when the correct password is used, unless the user also enters a numerical code that’s sent to their phone.
Twitter wouldn’t be the first company to lock the stable door after the horse has bolted in th is way: Dropbox, too, introduced two-factor authentication after a security breach last summer. Google already offers it as an option for Gmail.
Meanwhile, while there’s still no word on who might have carried out the attack, it’s emerged that many of the affected users were particularly high-profile, implying that it wasn’t a random attack.
According to PeerReach, only users joining the site before 15 June 2007 were affected, and those hit include 17 percent of the 100 most influential Twitter accounts – including Barack Obama and major newspapers.
“If the hackers have 250,000 encrypted passwords in their possession they have all time of the world to break these passwords. Although the compromised accounts are forced to change their passwords, many are likely to have re-used passwords for other applications such as email, domain names and other critical services,” warns the company in a blog.
“This gives the criminals great possibilities, in combination with social engineering, to continue their campaign against other media sources.”