So Twitter got hacked; here’s the one bit of advice they didn’t hand out

On the Twitter Blog:

As you may have read, there’s been a recent uptick in large-scale security attacks aimed at U.S. technology and media companies. Within the last two weeks, the New York Times and Wall Street Journal have chronicled breaches of their systems, and Apple and Mozilla have turned off Java by default in their browsers.

This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.

As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts. If your account was one of them, you will have recently received (or will shortly) an email…

…and I’ve received the e-mail:

Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We’ve reset your password to prevent others from accessing your account.

You’ll need to create a new password for your Twitter account. You can select a new password at this link: […]

As always, you can also request a new password from our password-resend page: https://twitter.com/account/resend_password

Please don’t reuse your old password and be sure to choose a strong password (such as one with a combination of letters, numbers, and symbols).

In general, be sure to:

  • Always check that your browser’s address bar is on a https://twitter.com website before entering your password. Phishing sites often look just like Twitter, so check the URL before entering your login information!
  • Avoid using websites or services that promise to get you lots of followers. These sites have been known to send spam updates and damage user accounts.
  • Review your approved connections on your Applications page at https://twitter.com/settings/applications. If you see any applications that you don’t recognize, click the Revoke Access button.

For more information, visit our help page for hacked or compromised accounts.

I have two criticisms, one relevant to everyone:

Firstly, the password-reset link referred-to above requires no extra authentication; I’m not sure what to do about that but then it’s not my problem to solve.  It does suggest that some people who receive this e-mail may have their Twitter-account hijacked by some third party with access to their mailbox, but that could be argued to not be Twitter’s problem.

Second, I consider an essential piece of advice to be missing, viz: if you have used the same password elsewhere for another service, then change that too and use a different one there.  I imagine that Twitter’s legal department chose not to muddy waters by bringing third parties into the matter, but I still consider it / the battle against account linkage to be essential to password hygiene.

4 thoughts on “So Twitter got hacked; here’s the one bit of advice they didn’t hand out

  1. Nigel Metheringham (@nmeth)

    I think it would be much safer to require your old password on password change – that means that an attacker would need both the password and access to the reset email, rather than just the email. However a forgotten password reset falls back to the email possibly with whatever related information checks can be done – not much safer, or email and SMS token where that can be done.

    Definitely agree about the reuse of passwords point.

    I have been wondering about the lifetime of authentication tokens handed out by twitter to 3rd party applications. Some of these give far more privileges than needed (why does WordPress need posting abilities to allow me to comment here?). And the token lifetimes are very long – I have a couple that have been in place for several years – and although limited, the tokens are pretty much password equivalents (I guess you need the app’s own token too – probably not hard to get).

    [and now off to revoke that WordPress token]

    Reply
  2. Dave Levy (@DaveLevy)

    Their blog article is clear on the advice not to reuse passwords.

    use a strong password….that you are not using for any other accounts or sites. Using the same password for multiple online accounts significantly increases your odds of being compromised.

    Reply
  3. Gilles Gravier (@gravax)

    @nmeth if they hacked and got the password hashes, then they just need a rainbow table to authenticate with your old password and set a new. Not useful.

    Strong passwords are no match against somebody who has stolen hashed passwords and has built a rainbow table with corresponding passwords for those hashes. They don’t care how long and hard your password (PASSWORD, I said) is. They care how many bits long is the hashing algorithm so that they can figure out many passwords they need to precompute in their rainbow table.

    It’s Twitter that needs to fix things and get a better password hashing algorithm… or even better, better secure their own servers. User isn’t responsible, here. Twitter is.

    Reply

Leave a Reply