Twitter hacked, up to 250,000 accounts compromised

2013 is already starting to be a ripe year for security breaches, with Twitter today reporting that their security systems were breached and information for around 250,000 accounts may have been accessed. Twitter's Director of Information Security Bob Lord says that usernames, email addresses, session tokens and encrypted/salted passwords were potentially accessed, but nothing more serious than that.

As Twitter's stored passwords were encrypted there's little chance that the hackers could reveal the actual, plain text password, but as a "precautionary security measure" Twitter has reset the passwords and revoked session tokens for all affected accounts. If you were one of the 250,000 accounts affected, you should shortly receive an email informing you that you'll need to create a new password; this is a very small percentage of overall users, so don't expect to receive an email.

The good news is that Twitter managed to discover the attack while it was in the process of accessing unauthorized data, meaning they could shut it down before more data was accessed. Bob Lord believes that the attack was "not the work of amateurs" nor an "isolated incident", instead saying that the attackers were extremely sophisticated, and that other organizations may have been attacked by similar methods recently.

Twitter is currently working with law enforcement agencies to try and find the people responsible for this recent attack, while also reminding people (once again) to disable Java on their computers.

Source: Twitter | Image via Engadget

Report a problem with article
Previous Story

Office for Mac 2011 updated to support Office 365 Home Premium

Next Story

Microsoft releases free My Server app for Windows 8

44 Comments

Commenting is disabled on this article.

"Nothing more serious than that" ... You're kidding right? I got that email, and i'd consider that VERY serious.

Raa said,
"Nothing more serious than that" ... You're kidding right? I got that email, and i'd consider that VERY serious.
He is not saying that it was not serious. He said that it was not more serious.

Well, I DIDN'T get an e-mail? You know after reading this and getting worried and worried and worried and then finding out my account hasn't been hacked feels like a huge letdown now.

Whats your email and twitter name ? I can do some social engineering and take over your account ... If it makes you feel any better lol....

"salted hashtags" - hmmmm, that sounds like a great beer snack
Seriously, I check my mail this morning and the only mail I had from Twitter was the usual Here's what is happening on Twitter email. Changed my password as a precaution anyway.
Also finally realized the importance to start using stronger passwords, with all this hacking going on left and right, and for most not even knowing that an account has been hacked, better password security is a must.
Sorry for those who's details were actually taken, no matter how much or little was taken, it is still a violation of your privacy.

Torolol said,
eh, why i don't get that email?
i did have the usual "here what happened" but not that one.

If you don't get that email like me, means that you're safe? At least...

Pluto is a Planet said,
Oracle does make all its money from databases, so it's actually possible.

Microsoft make all their money from selling operating systems.
It was Microsoft #tinfoilhat

Apple make all their money from selling operating systems.
It was Apple #tinfoilhat

Google make all their money from advertising, Google advertised Twitter.
It was Google #tinfoilhat

Tidus4eva said,

Microsoft make all their money from selling operating systems.
It was Microsoft #tinfoilhat

Apple make all their money from selling operating systems.
It was Apple #tinfoilhat

Google make all their money from advertising, Google advertised Twitter.
It was Google #tinfoilhat

How about you don't use hashtags on sites other than Twitter? God..

'says that usernames, email addresses, session tokens and encrypted/salted passwords were potentially accessed, but nothing more serious than that.'
Nothing more serious than that? Sorry but someone getting potential access to my password is very ****ing serious. People sign up to a site where the head of security goes on record saying having your password stolen isn't serious, wow.

To clarify, the head of security didn't actually say "nothing more serious than that", I wrote that to indicate nothing more serious had been taken eg. plain text passwords, private data (direct messages), etc.

xendrome said,
"encrypted/salted passwords"

When you figure out how that works, feel free to comment back.


When you find a foolproof encryption method that can't be cracked using dictionary or brute force attacks, feel free to comment back. OH WAIT...
Salting only prevents rainbow tables.

It was caught in progress, and the accessed accounts were immediately reset. Since it was in progress when it was caught, there's no way they had a chance to decrypt and use the hacked passwords before they were reset. No big deal.

n_K said,

When you find a foolproof encryption method that can't be cracked using dictionary or brute force attacks, feel free to comment back. OH WAIT...
Salting only prevents rainbow tables.

When you figure out some way to crack 128bit (at least) encryption or have the computing power to do it in under 1 billion years, feel free to comment back.

The fact of the matter is, nothing of value was lost.

Invizibleyez said,
Seems like a phishing scam to me. Isn't the link supposed to show http://www.twitter.com and not just twitter.com. I am suspicious.

Most domains will work whether you type the 'www' or not. And you cant have two different domains, where one has www, and one don't. They will always go to the same site, or the domain without www will just throw up an error page. This is basic stuff...

1Pixel said,
And you cant have two different domains, where one has www, and one don't. They will always go to the same site, or the domain without www will just throw up an error page.

Sure you can, depends on how the nameserver's set up.

1Pixel said,

Most domains will work whether you type the 'www' or not. And you cant have two different domains, where one has www, and one don't. They will always go to the same site, or the domain without www will just throw up an error page. This is basic stuff...


That last part is just plain wrong. I can easily set up my domains to have http://mydomain.com lead to a different site than http://www.mydomain.com. In fact, I have done that on several occasions when I set up a new site on a different subdomain and want to redirect the parent domain to that new subdomain.

That's not technically correct, as I'm sure you would agree that Amazon owns amazon.co.uk, amazon.com.au, amazon.co.jp, etc, and not the government for those regions
(In reply to Pluto is a Planet)

Sraf said,
That's not technically correct, as I'm sure you would agree that Amazon owns amazon.co.uk, amazon.com.au, amazon.co.jp, etc, and not the government for those regions
(In reply to Pluto is a Planet)

What this have to do with it? People are wondering the difference between www and without on that specific site. Some site allows you to change language and some requires you to visit different domain for a different language.

1Pixel said,

Most domains will work whether you type the 'www' or not. And you cant have two different domains, where one has www, and one don't. They will always go to the same site, or the domain without www will just throw up an error page. This is basic stuff...


But some domain will not work. You will be redirected to Default Web Page or IIS page.

Sraf said,
That's not technically correct, as I'm sure you would agree that Amazon owns amazon.co.uk, amazon.com.au, amazon.co.jp, etc, and not the government for those regions
(In reply to Pluto is a Planet)

You can't go to http://com.au, http://co.jp, nor http://co.uk. These aren't domains themselves, they're just extensions (like .com, .edu, and .net).

The are second level domains, due to how the governments in those countries deal with the TLDs. The UK, for example, reserves all non .co.uk exclusively to government websites. Just because a HTTP server doesn't sit on co.uk doesn't mean that there isn't a server representing that. What this means is that 'blog' in blog.twitter.com is a tertiary level domain, 'amazon' in amazon.com is a secondary level domain, 'amazon' in amazon.co.uk is a tertiary level domain (like the blog example!)

That's what I'm getting at, saying that whomever owns the SLD automatically owns the TertiaryLD is technically incorrect

Sraf said,
What this means is that 'blog' in blog.twitter.com is a tertiary level domain, 'amazon' in amazon.com is a secondary level domain, 'amazon' in amazon.co.uk is a tertiary level domain (like the blog example!)

That's what I'm getting at, saying that whomever owns the SLD automatically owns the TertiaryLD is technically incorrect


blog.twitter.com are more like addon domain. Just like of you own a free (i.e: co.cc or au.tc or even uni.org etc), they are addon domains. That true that companies could have many site as they want in a server, but then employees from different country have to know a single password and that's why companies in different country have their own server/data center so they don't have to rely on that server and taking up bandwidth and memory.