Following a string of revelations this week from several media companies who announced they had been recently h*cked, Twitter announced on Friday that it had also been the target of a sophisticated attack.
The company wrote in a blog post ironically titled "Keeping our users secure" that it detected unusual patterns this week that led it to identify attempts to access user data.
"We discovered one live attack and were able to shut it down in process moments later," wrote Bob Lord, Twitter's director of information security. "However, our investigation has thus far indicated that the attackers may have had access to limited user information -- usernames, email addresses, session tokens and encrypted/salted versions of passwords -- for approximately 250,000 users."
As a result, the company said it had reset passwords and revoked session tokens for the accounts suspected of being affected. The company also sent an email to affected users informing them that their old password was no longer valid and that they would need to create a new one.
The email, received by Wired.co.uk's editor Nate Lanxon, reads:
"Twitter believes that your account may have been compromised by a website or service not associated with Twitter.
"We've reset your password to prevent others from accessing your account."
The email also warns users to "Avoid using websites or services that promise to get you lots of followers. These sites have been known to send spam updates and damage user accounts."
Lord did not explain how the attackers got in and accessed the data, but said that he did not believe Twitter was the only company targeted.
"This attack was not the work of amateurs, and we do not believe it was an isolated incident," he wrote. "The attackers were extremely sophisticated, and we believe other companies and organisations have also been recently similarly attacked. For that reason we felt that it was important to publicise this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users."
Twitter recently began bulking up its security team with a number of high-profile hires. In 2011 noted white hat h*cker and security pro Moxie Marlinspike joined Twitter after the company acquired his mobile encryption firm Whisper Systems. Last September, Marlinspike helped bring on board fellow noted white hat h*cker and researcher Charlie Miller.
Just two weeks ago, however, Marlinspike announced that he was leaving Twitter.
Twitter's h*ck announcement Friday comes in a week crowded with announcements about media companies that have been h*cked. On Thursday, the New York Times revealed that h*ckers, who had been inside its network for at least four months, had succeeded to steal the usernames and passwords of all of its employees in an apparent attempt to identify sources and gather other intelligence about stories related to the family of China's prime minister.
The h*ckers breached the network sometime around 13 September and stole the corporate passwords for every Times employee, using them to gain access to the personal computers of 53 employees, according to the report.
The h*ckers also broke into the email account of the newspaper's Shanghai bureau chief, David Barboza, who conducted the investigation, as well as the email account of Jim Yardley, the paper's South Asia bureau chief in India, who had previously worked out of Beijing.
The Times report indicated that the attack was part of a wave of attacks that appeared to come from China and were targeted against western media outlets.
The day after the Times announcement a report surfaced that the Wall Street Journal had also been h*cked, followed the next day by a report that the Washington Post had also been targeted.source: