Twitter disclosed on Friday evening that its systems had been attacked in the past week by an unidentified group of hackers. As a result of the the attack, the hackers may have had access to the usernames, email addresses and other sensitive information of nearly a quarter of a million twitter users.
“This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later,” the company said in a blog post. “However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.”
On Friday evening, Twitter sent out emails to those users whose accounts may have been compromised, notifying them that the company had automatically reset their user passwords, and that they would need to create a new password in order to access the service again.
The hack comes on the heels of a week of major, nationally publicized security issues with a number of major publications, including The New York Times and The Wall Street Journal(which, disclosure, is owned by News Corp., ATD’s parent company). In their stories on the hacks, both publications made allegations that the attacks stemmed from their investigative reporting efforts covering Chinese officials, and that the Chinese government may be involved in some capacity.
But in Director of Security Bob Lord’s company blog post, Twitter makes no indication as to who was responsible for Twitter’s security breach, nor does Lord connect the hack directly to either the Journal’s or the Times’ incidents.
“The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked,” Lord wrote in his post.
As of Friday evening, Twitter has not disclosed, nor does not seem to know, who the group of hackers are.
Whether or not the attacks on the two media companies and Twitter are related, there is a major difference in the incidences: The disparate levels of in-house security each company has. The New York Times reported that the Symantec software it had installed on its systems had only detected one of the 45 major security intrusions over the last few months. And both the Times and the Journal went outside to third-party security consultants to assess the extent of their system breaches.
Twitter, however, employs a world-class in-house team of security researchers,well-versed in their ability to detect system vulnerabilities.
And Twitter has made no bones about carting out some of their highest profile hires in the operational security (OpSec) sector: Moxie Marlinspike, Bob Lord and Charlie White are highly respected in the OpSec community, all of whom head up the company’s security efforts. And in January of 2012, Twitter acquired Dasient, a security firm focused on Malware.
Jim Prosser, a Twitter spokesman, did not answer questions related to how the attack occurred, nor why only a set of 250,000 users were affected in the attack.
“We’re limited on the amount of information we can share at this time, given the nature of the attack and its potential scope in the genral internet community,” Prosser said.
But Ashkan Soltani, an independent security researcher, speculated that because Twitter was able to identify the users whose accounts may have been compromised, the scope of the breach may be somewhat limited.
