Twitter resets a quarter of a million accounts after hacker attack

Twitter has reset the passwords of 250,000 accounts after detecting and shutting down a hacker attack last week.

Twitter has reset the passwords of 250,000 accounts after detecting and shutting down a hacker attack last week.

Twitter's information security director Bob Lord said investigations revealed that the attackers may have had access to usernames, email addresses, session tokens and encrypted/salted versions of passwords.

“As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts,” he wrote in a blog post.

Twitter has notified all affected account holders by email that they need to create a new password.

The attack affected only around 0.13% of Twitter’s users, but the microblogging service has called on all users to make sure they are using strong passwords.

Twitter recommends passwords that are at least 10 characters and a mixture of upper- and lower-case letters, numbers, and symbols. It also warns against using one password for multiple online accounts.

In the light of recent exploits of Java vulnerabilities, Bob Lord echoed the advisory from the US Department of Homeland Security to encourage users to disable Java in their browsers.

Read more about Twitter security

Twitter apologises for unnecessary hacking warnings

Twitter users targeted by Blackhole malware

Twitter spam used to spread rogue security software

How to prevent Facebook hacking and Twitter hijacking

Twitter acquires Dasient in security buying spree, Android platform focus

PayPal UK’s Twitter account hacked

Twitter ordered to tighten security

“This attack was not the work of amateurs, and we do not believe it was an isolated incident… For that reason we felt that it was important to publicise this attack while we still gather information,” he wrote.

Twitter is working with government and other law enforcement officers to find and prosecute these attackers, he concluded.

Graham Cluley, senior technology consultant at security firm Sophos, has warned that attackers may use stolen email addresses to send messages that appear to be from Twitter.

These messages may be designed to trick recipients into disclosing more personal information or clicking on malicious links, he wrote in a blog post.

Using the stolen session token attackers could, in theory, hijack accounts, at least until the user or the hacker next logs off.

Attackers could also attempt to crack the passwords, by setting computers and large dictionaries of commonly used passwords against the problem.

If some of the passwords are cracked, the hackers could then attempt to see if the same passwords will also unlock victims' other accounts, such as their email, said Cluley.

Read more on Data breach incident management and recovery