Beneath what may be the most passive-aggressive hack disclosure blog post title ever, Twitter today disclosed that it, too, has been compromised by hackers.
At least 250,000 user accounts were affected.
“This attack was not the work of amateurs, and we do not believe it was an isolated incident,” said Twitter’s director of information security Bob Lord in the blog post titled "Keeping our users secure."
"Holy shit you guys a quarter million of your accounts wuz hacked!!1!" is more like it.
"China did it" is a reflexive response we're seeing around the web now, after recently confirmed reports that Chinese hackers targeted the New York Times, The Wall Street Journal, The Washington Post, and other high-profile sites—but Twitter has said nothing about the suspected origin of the attack. Looks like a well-known Java vulnerability is one common link.
As you may have read, there's been a recent uptick in large-scale security attacks aimed at U.S. technology and media companies. Within the last two weeks, the New York Times and Wall Street Journal have chronicled breaches of their systems, and Apple and Mozilla have turned off Java by default in their browsers.
This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.
As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts. If your account was one of them, you will have recently received (or will shortly) an email from us at the address associated with your Twitter account notifying you that you will need to create a new password. Your old password will not work when you try to log in to Twitter.
I noticed that Twitter was down or unreachable, off and on, for what seemed like a few hours yesterday morning. I wonder if the brownout was related to this news.
From chatter on Twitter, it seems that most of the affected accounts were older, or "owned" by users who had really early accounts? For what it's worth, I was user #767, and my account was affected: I received a password reset prompt this afternoon. But the tweets you see from @xeni promoting Viagra, raspberry ketones, and work-from-home schemes involving lonely Russian ladies? That's all me, guys.
Twitter hasn't disclosed detail on the perpetrator or method behind the breach. Perhaps we'll hear more soon.