On the Twitter Blog:
As you may have read, there’s been a recent uptick in large-scale security attacks aimed at U.S. technology and media companies. Within the last two weeks, the New York Times and Wall Street Journal have chronicled breaches of their systems, and Apple and Mozilla have turned off Java by default in their browsers.
This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.
As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts. If your account was one of them, you will have recently received (or will shortly) an email…
…and I’ve received the e-mail:
Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We’ve reset your password to prevent others from accessing your account.
You’ll need to create a new password for your Twitter account. You can select a new password at this link: […]
As always, you can also request a new password from our password-resend page: https://twitter.com/account/resend_password
Please don’t reuse your old password and be sure to choose a strong password (such as one with a combination of letters, numbers, and symbols).
In general, be sure to:
- Always check that your browser’s address bar is on a https://twitter.com website before entering your password. Phishing sites often look just like Twitter, so check the URL before entering your login information!
- Avoid using websites or services that promise to get you lots of followers. These sites have been known to send spam updates and damage user accounts.
- Review your approved connections on your Applications page at https://twitter.com/settings/applications. If you see any applications that you don’t recognize, click the Revoke Access button.
For more information, visit our help page for hacked or compromised accounts.
I have two criticisms, one relevant to everyone:
Firstly, the password-reset link referred-to above requires no extra authentication; I’m not sure what to do about that but then it’s not my problem to solve. It does suggest that some people who receive this e-mail may have their Twitter-account hijacked by some third party with access to their mailbox, but that could be argued to not be Twitter’s problem.
Second, I consider an essential piece of advice to be missing, viz: if you have used the same password elsewhere for another service, then change that too and use a different one there. I imagine that Twitter’s legal department chose not to muddy waters by bringing third parties into the matter, but I still consider it / the battle against account linkage to be essential to password hygiene.