

Keeping our users secure - anu_gupta
http://blog.twitter.com/2013/02/keeping-our-users-secure.html

======
ghshephard
See, this is where companies can now "game" HN. Instead of the the clearly
more appropriate, "Twitter user accounts and password hashes compromised", we
instead get, "Keeping our users secure".

~~~
0x0
Until some other blog puts the real deal in the headline and gets more
upvotes, like this one:

<http://news.ycombinator.com/item?id=5154415> \- "Twitter Hacked, 250,000 User
Accounts Potentially Compromised"

~~~
devindotcom
yeah, I actually submitted the link a minute or two after OP with a more
descriptive title but it sent me here, and chances are it will hit the top
with 500 or so anyhow.

------
dotBen
I'm one of the 250k accounts that were compromised. Seeing as they are saying
the attackers got the salted hashed passwords, not the originals, I'm
wondering if that means it was Twitter's systems that were compromised as
where else would those be obtainable from?

I'm wording the above to refrain (yet) from declaring "Twitter was hacked" but
I guess that is what it is looking like :(

~~~
devindotcom
Did they sent you your email yet? Would you mind pasting here if you do, for
posterity if nothing else?

~~~
dotBen
Yep I got it before they even posted the blog post, and my friend in security
@ Twitter couldn't yet reveal why. Here's the email:

 _Hi, dotBen

Twitter believes that your account may have been compromised by a website or
service not associated with Twitter. We've reset your password to prevent
others from accessing your account.

You'll need to create a new password for your Twitter account. You can select
a new password at this link: <https://twitter.com/pw_rst/[redacted]>

As always, you can also request a new password from our password-resend page:
<https://twitter.com/account/resend_password>

Please don't reuse your old password and be sure to choose a strong password
(such as one with a combination of letters, numbers, and symbols).

In general, be sure to:

Always check that your browser's address bar is on a <https://twitter.com>
website before entering your password. Phishing sites often look just like
Twitter, so check the URL before entering your login information! Avoid using
websites or services that promise to get you lots of followers. These sites
have been known to send spam updates and damage user accounts. Review your
approved connections on your Applications page at
<https://twitter.com/settings/applications>. If you see any applications that
you don't recognize, click the Revoke Access button. For more information,
visit our help page for hacked or compromised accounts.

The Twitter Team_

------
devindotcom
Seems like all they can do is match usernames to emails at this point, if the
passwords were properly obfuscated.

Although... session tokens are gone, but could have been exploited during the
window between the hack and the token purge, right?

------
seldo
The timing of this hack, and the fact that Twitter was (at least at one point)
a Rails app, and still uses Ruby on the front end, makes me think this is
likely a YAML vulnerability exploit. Can anyone confirm/rule this out?

~~~
bradleyland
I don't think they were vulnerable to that particular exploit. I know someone
who ran the Metasploit Rails XML/YAML vulnerability scanner against
Twitter.com almost immediately after its released, suspecting that they might
be vulnerable. They were not.

~~~
seldo
The main site itself was very unlikely to be vulnerable, but support apps,
internal apps, etc. are all vectors.

------
0x0
So does that mean that juicy DMs will be pastebin'ed too?

