Hacker News new | past | comments | ask | show | jobs | submit login
Twitter Hacked – 250,000 User Accounts Potentially Compromised (allthingsd.com)
307 points by kmfrk on Feb 2, 2013 | hide | past | favorite | 147 comments

This is the text of the message I received (once for each account, all created back around the same time January 2007):

  Hi, dewitt

  Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account.

  You'll need to create a new password for your Twitter account. You can select a new password at this link: ***

  As always, you can also request a new password from our password-resend page: https://twitter.com/account/resend_password

  Please don't reuse your old password and be sure to choose a strong password (such as one with a combination of letters, numbers, and symbols).

  In general, be sure to:

  Always check that your browser's address bar is on a https://twitter.com website before entering your password. Phishing sites often look just like Twitter, so check the URL before entering your login information!
  Avoid using websites or services that promise to get you lots of followers. These sites have been known to send spam updates and damage user accounts.
  Review your approved connections on your Applications page at https://twitter.com/settings/applications. If you see any applications that you don't recognize, click the Revoke Access button.
  For more information, visit our help page for hacked or compromised accounts.

  The Twitter Team 
Best of luck to the security and support teams. Days like these are not fun at all.

And for people trying to puzzle out who was impacted, several these accounts (all with random strings for passwords, btw) were barely ever used at all, often not for several years. The only thing they had in common was their early creation date, and hence relatively low user ids. My guess is that the hackers simply scanned user ids starting from 1 and worked their way up.

I'm seeing a ton of people I know on twitter complain - I'm user 5511, and these are people who joined at the very beginning too - so your theory is indeed apparently correct. I got an email myself, and reset my already super complex password.

User 5,260 and an active, daily users. Got an email that my account was impacted.

I don't know what # user I am (how can I get this information?) but my twitter account was also created in 2007 (on the 8th of April says whendidyoujointwitter.com) and is still active. Also received the email.

The Twitter API exposes a user's ID. Some Twitter clients (like Tweetbot) show this information. You can use http://mytwitterid.com/ to find yours.

Or just view source on twitter.com (after logging in) and search for the first instance of "data-user-id"

3750 and ditto.

That would explain the high incidence among hackers, who are more often early adopters. I've been surprised by how many people I've heard of getting the email, including people in this comment thread and myself, considering only 250,000 emails were sent out of their couple hundred million accounts.

Only 2950 accounts with IDs from 1 to 6136 still exist, so there's been pretty much a 50% attrition rate at that level.

Yeah I received the email from Twitter, account created in April 2007 and haven't tweeted since 2010.

Are there big gaps in the early user ids? I'm 4145801 and received this message.

Twitter employee, here. At one point in time, auto_increment_increment was > 1 on the MySQL master for uid generation. This led to many holes in the uid range.

Yeah - I'd say there are big gaps. I'm 1577581 and got the email. You can check people's join dates here http://www.whendidyoujointwitter.com/

Thanks! I'm 793689, joined 25 February 2007, and got the e-mail.

I've been suspecting the same thing. Two of my accounts received the email, both created several years ago, while none of my newer accounts have been compromised.

any chance it was through an app that you allowed access?

No. I suspect their email template was out of sync with this particular incident.

That means https://api.twitter.com/1/users/show.xml?user_id=12 13 14 were hacked too. And those must have been accounts of interest if not of others' and the gentry.

This is bullshit. I just got this message, and until I signed into HN I had no idea if Twitter was hacked or if there was a problem on my end. Which would be alarming, because all of my passwords are 30+ random characters, and I never reuse passwords across websites. Fuck you, Twitter.

Just a guess here, but maybe to get the emails out to users fast they re-used an existing template that was intended for resets due to 3rd party incidents.

Seems to be that way.

I just got a second 'Twitter Password Reset' email with more explanatory information now, almost two and a half hours after the first.

Even if this is true, it is very sloppy for a company the size of Twitter.

def random_password(n):

  random_char = '1' # chosen by fair dice, guaranteed random

  return random_char * n

Just kidding. That stinks. I'm guessing your password was quite strong. Any idea how many bits of entropy it was?

It sounds like at this point Twitter sent out the email in parallel with trying to figure out how these compromises happen. Since they salt the hashed passwords, they don't know how complex your password was. Of course, you should still change your password. I changed my 80-bit Linkedin password after it was stolen.

Agree. I didn't know what was going on. I use 17 random char passwords too and the way the email is written makes it sound like I did something wrong.

What could Twitter have done better? What would you do if your users' accounts were compromised?

Where and how do you store these individual 30+ character passwords

I use lastpass, it's a great product.

Doesnt seem a great idea. When it gets hacked they get all your passwords.

LastPass encrypts all of the passwords client side. Assuming you use a strong enough passphrase it shouldn't matter if LastPass gets hacked.

Twitter uses bcrypt, so in theory this hack should also be nothing to worry about.

is there an alternative where this is not the case?

My own solution is to have two different passwords for everything - one for banking and credit cards, another for crap like twitter/linkedin. I haven't changed my passwords for years (no point really, as you're likely to have the breaking as soon as they get your password).

I think there are risks with all solutions to the password problem.

I'll add a datapoint here too. I also had my password reset.

Creation date: March 2007

User ID: 2,7xx,xxx

Surely these sorts of messages are prime candidates for opportunist phishing attacks?

Official blogpost: http://blog.twitter.com/2013/02/keeping-our-users-secure.htm...

Edit: I wonder if the bad guys were able to access private Direct Messages, too. There's always talk about resetting passwords, but nobody ever mentions all the other confidential data that might be pastebin'ed later.

    This attack was not the work of amateurs, and we 
    do not believe it was an isolated incident. The 
    attackers were extremely sophisticated, and we 
    believe other companies and organizations have 
    also been recently similarly attacked.
Anyone have any clue what the possible motives behind this could be? My best guess is someone is trying to mine for private data that may have been sent over DM (Maybe Obama is sending nuke launch codes over DM). Other than that twitter's data is mostly public and I don't see the benefit of carrying out such an attack to simply impersonate Justin Bieber on Twitter. I also don't suspect Twitter to be the type of company that would leave their passwords easily crackable either. Doesn't make sense that were mining for valid emails either, there are cheaper ways of getting access to those.

"HACKED BY CHINESE!!!" is the default assumption.

There are moderate numbers of people who use Twitter for online activism. That would point more to Syria or Iran or another Middle Eastern country, since Twitter is more popular there than in China or the Chinese language.

Nobody hacks Twitter just to get valid emails or impersonate someone. That's ridiculous.

Pretty clearly this was the work of governments e.g. China, Iran who are trying to find out more about political dissidents or the sources of leaks. They are the only ones who would use lucrative exploits against Twitter, NYT, WSJ etc.

There is nothing clear about this attack at all, thus it's grossly unfair to cast aspersions on any country or select group of individuals unless there is hard evidence.

So to make this clear, the best guess is these attacks are being done by governments in an effort to find out who is leaking data to Twitter, NYT, etc?

Pretty interesting if you ask me, is it likely the use would sick the best hackers at the NSA if top secret information was being leaked on the bizzaro world's Chinese Twitter? It almost sounds like the prologue to the worlds first CyberWar.

To reiterate what I've been posting elsewhere, I'm sure there is a lot of compromising material in the Direct Messages of certain well-picked accounts, for a wide range of motives.

Or perhaps US government...

At first i thought the email was phishing but sure enough my acct was reset even with 17 chars. i wonder if Twitter can cull any correlations from this compromised pool, epidemiological-like

> usernames, email addresses, session tokens and encrypted/salted versions of passwords

Wow, finally a breach where the hackers DIDN'T make off with all of our passwords in plain-text. Kudos to Twitter for actually handling passwords properly, considering the eventuality that all websites are vulnerable to attack.

I would feel better if I new how they handled passwords. Hopefully it is a hash and not encrypted. And hopefully that hash method is bcrypt (or something similarly painful to crack).

my first thought when reading the mail was exactly this: oh nice, salted and hashed but _how_?

I remember a time when many people assumed md5("notreallysalt"+password) was a good practice, and twitter is old.

I really don't like how they decided to release this on a friday afternoon. I know exactly why they did it, and why it is a smart PR move but it also means two things:

- People's accounts might have been compromised earlier "this week" and they could have used that extra warning time to make sure the damage didn't spread to their other online accounts.

- People who might have been compromised are now less likely to see the announcement, so if anything is compromised there's less chance they will react to mitigate damages.

Great for PR, horrible for their users.

I'm inclined to give them some benefit of the doubt. It seems like they could have found out on, say, tuesday, started investigating (post-intrusion analysis is very lengthy to do thoroughly) and the boss said "we need to release a statement by the end of the week, so find out what was taken and how users are affected."

They'll likely be doing forensics for months after this, so alerting the public a few days in to the investigation is actually pretty good.

What you should be concerned about is all of the companies who got owned in this campaign and will not be confessing. This is big, and a few more companies will admit it early, a few will sneak vague statements in their SEC disclosures, and a few will cover it up completely.

There is another possibility, which is that they didn't work out what was going on until Thursday.

And anyone whose account has been compromised has received an email, a far more likely way of seeing the message than relying on everybody to occasionally check Twitter's blog for news.

The official Twitter release was titled "Keeping our users secure". My gut response after reading the first couple of paragraphs was, "Are you fucking kidding me?" That title, combined with the day/time of release really has the cynic in me riled up.

EDIT: It'd be great if anyone willing to downvote would explain why it's OK for Twitter to title a notice involving a breach of security resulting in the exposure of 250,000 records containing sensitive information, "Keeping our users secure". Because it really kind of pisses me off when I read it.

EDIT, EDIT: Highest karma volatility (up, down, up, up down, etc) of any comment I've ever posted on Hacker News. I really am genuinely interested in counter points.

Settle down. "Keeping our users secure," just means "There was a problem, and here is what we have done to mitigate it." You have correctly observed that they chose, in their announcement, to downplay the breach and focus on what steps they've done to address it. What did you expect?

Let's all take a deep breath and remember: It's. Just. Twitter.

It doesn't really matter to me who the message comes from. When did the truth cease to matter? I'm not naive. I recognize that this kind of thing happens all over the place, but that's exactly why I get so frustrated at this type of communication, and frankly, at your response. If your attitude becomes, "Oh well, it's just Twitter, so the dishonesty doesn't matter," then we can only expect more of the same. Everyone around Twitter will watch as they perpetrate falsehoods in communication, and they will follow suit.

It's not that "dishonesty doesn't matter" it's that you really shouldn't expect a company to go out of its way to call attention to its own screwup. They only want to bring this to the attention of people who need to know for security reasons, and they directly emailed all of those people. The sole purpose of the blog post was "oh, in case you heard about a security breach, you'll be happy to know that we've mitigated the problem. Aren't we doing great?" Even if you think the answer is "no," there is really nothing dishonest there.

Though twitter seems trivial to a lot of people, Wikipedia has 4 different suggestions[1] when you search for 'twitter revolution'. So perhaps it's not so trivial and celebrity-focused as it seems to us non-users.

[1] http://en.wikipedia.org/wiki/Twitter_Revolution

And if someone used Post-it Notes in a novel way to aid revolutionary efforts, we'd suddenly decide that they are a critical piece of infrastructure that needed to be super-secure, too, right?

It's just twitter.

HN meta: It would be interesting to see per-comment volatility as an indicator of moderation convergence. Anyone know if the HNSearch dataset is rich enough to do this?

Yeah, the title is misleading and sounds so boring that a lot of people might not even bother reading any further.

Okay here's a few counter points:

1) There is no evidence that all of the records were compromised. So Twitter is keeping users secure by proactively resetting passwords.

2) People need to get over this Friday afternoon release. Twitter is a global company so it's not Friday everywhere and regardless it could purely be coincidental.

"Twitter is a global company so it's not Friday everywhere ..."

You're right. In some places it's the middle of the night, and in some places it's Saturday morning... prime time for a press release.

The Friday release thing doesn't aggravate me nearly as much as the title.

Security is tough. Really, really tough. I'm not here to crucify them for the breach, but the title glosses over the event in a way that is disingenuous at best. When you border on dishonesty with your title, people begin to question your motives.

The title isn't meant for anyone who's account was compromised. Mine was, I got an email. The subject was "Twitter has reset your account password". No beating around the bush there.

I'm not upset, it sounds like they detected it quickly and went out of their way to make sure everyone was not only notified but ensured that their account was safe. 250k users is a very small number of their accounts. A literal drop in the bucket. It sounds to me that they're going after the hackers and I appreciate that.

Was your account compromised?

That seems really unlikely - if there is one ancient rule in PR it's

  The break-in didn't Dick Nixon, the cover-up dicked Nixon
This is one of the worlds best known sites - everything about this will be hot news. Only a fool would cover it up.

Sadly you are exactly right. I wish companies would put both of these things first. Why so often does one have to come at the expense of the other?

Yes i know this is "naive" thinking, but i also think its the kind of thinking that can change a company for the better. Would it be easy? No. But in the end it its use the users that have to not think so critically of these "political pitfalls"(my words). Hacking happens, time and time again this stuff happens. If twitter(or another company) took measures to protector there users and didn't do something completely stupid like keeping plain text info, we should all just take what happened for what it is and move on. With these situations coming more and more common we are going to have to do this anyways.

Or it could have actually just been discovered today. It's too easy to sit from afar and assume the worst. Maybe sometimes things just happened this way.

Maybe the "bad" people involved in the attack figured if they got away with it less people would be looking on a weekend so they could get further.

Just saying... it's easy to assume "big" companies do what's best for them aways... but really they're just a bunch of people trying in most cases to do the right thing. So, before you click "fire" on that enter key... think about it.. there are people on the receiving end... probably a lot like you.

I don't think they would have said "this week" if they could have gotten away with "today". "Today" sounds a lot less dangerous, prolonged, etc.

Today could be really bad if they discovered later that the attack had been going on longer tomorrow... never know which way the spin or reporting is taking the real story once it hits print...

Looking into the timing of this is borderline conspiracy theorist. Would you rather they have sat on the post until Monday?

With incident response for an active service. Priority one is segregation and mitigation, priority zed is writing a blog post about it.

I'm guessing they got a non-anonymized mini dump of the database for local development. An engineer may have had a small subset of data on his local machine.

That actually sounds very likely!

Salted and hashed passwords? Companies emailing affected users? What is this the future?

Companies that do not allow remote attackers to gain access to their DB?

Not that I disagree with you but it's not exactly as if Twitter was a role-model of security on this one...

I was an engineer at Google when the Aurora attacks happened. Until we know more about the attackers and how it was pulled off, we don't know if this was amateur hour security, or if Twitter was facing an Advanced Persistent Threat with multiple 0days and custom malware.

Google used a combination of kerberos, SSH public key auth, client-side SSL certs, and a custom crypto system called Low Overhead Authentication System (LOAS), all of which utilize zero-knowledge proofs rather than sending passwords to the server. Google still got compromised, using a (0day?) Adobe Reader exploit sent via impersonating a co-worker on AIM or MSN Messenger (as I remember).

Let's leave the jury out on this one until we find out what happened.

That's insane. Is there a write-up about the security behind that Google server configuration?

I'm not aware of any such public documentation. Given the sorts of highly capable threats Google is up against, I imagine they want to do everything in their power to slow down attackers.

Also, they don't even allow the codenames of various parts of their infrastructure to be leaked, much less how the parts relate and how they're protected.

I'd really like to see LOAS open-sourced. I imagine that, like Kerberos, it's based on Needham-Schroeder, but I've never seen its source code or any design documentation.

One discussion I didn't see in the earlier NYT hack discussion (http://news.ycombinator.com/item?id=5143046) was what current best practices/readily available tools are for containing/detecting attacks, from the perspective of running a corp network/startup service, and as an end-user when faced w/ APT-level attacks?

For those deep in the trenches, is there a good resource for getting started for those technically inclined/interested in learning more? Presumably there are basic things like proper firewalls and MFA, but also more advanced things like pattern/anomaly detecting IDS's or traffic monitoring tools?

On the user side, are there smarter ways for detecting when your system is RAT infested (seems like a IDS running on your laptop should be able to notify you if you're system is sending out a new VNC/IRC connection...)

Back when I was more into system/network security, the open source tools (Tripwire, AIDE, Snort) were all ... rather manual/labor intensive. Have things evolved as the sheer amount of attacks/attack vectors have increased?

Hmm. Perhaps that explains why I got an email from them saying my account was compromised. Specifically, it said "Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account." It then went on to imply that I was phished, which is extremely unlikely (not only am I incredibly paranoid about that kind of thing, but I haven't actually entered my Twitter password on any website in a long time. I just use the mobile app on my phone.)


I got a similar message several months back, but that wasn't part of a larger leak; apparently some website I'd used a while ago had been compromised and I was using my throwaway password on Twitter at the time. Suffice to say, it's using a real one now - fifty-some-odd characters of random garbage generated and stored by 1Password. It's never been used anywhere else, so getting this email a second time just now was quite a shock (this time, my reaction was "really guys, again?" rather than "wtf?")

To their credit, they caught the first instance crazy-fast (my password had been reset automatically within about five mintes of a rogue tweet, though not before a friend texted me about it). This time I didn't see any activity at all, so I assume it was more proactive.

I'd still like an MFA option, especially with how infrequently I actually log in to twitter. However, I do like the "check your OAuth grants" page you're taken to after changing your password.

Me too, and I've never attached an app to twitter. (I've got an account that I basically have signed into 3 or 4 times in 5 years). I'm curious why my username came up as being compromised, unless they're doing something sneaky about updating all passwords older than x yrs old.

edit: The attacker got salted password hashes. That explains it.

Maybe they stopped the hackers in the middle of dumping the database and they only got away with the earliest accounts created.

Got also the message. My account was created in January 2007 and user id is about 700k. So this could be the case.

Iirc, my usernumber is ~ 700k. So, probably an early version of the hash, unless they silently upgrade on logins.

I just got the reset email, and my uid is in the 3.8 million range, created 4/2007.

Could be. My account dates from 2006, and my userid is sub 50k.

Or more likely the database is sharded and they just compromised those physical machines.

That sounds odd, 250k out of 500m sounds like way too little data for even a single shard, no? And why would only a single shard be vulnerable?

Yup, just got the same email. I really wish they had linked to the blog post and explained the situation in more details instead of using the standard email template. It's interesting though that one of the recommendations was to revoke access to third-party apps.

I wonder if this is related to the Rails YAML issues (https://news.ycombinator.com/item?id=5145397)

The way these things have been going (client-side vulnerability exploitation), I would suspect that the exploited vulnerabilities were closer to the laptops of Twitter employees than the Twitter application itself.

The blog post mentions turning off Java in your browser, which could be a clue to the attack vector Twitter suffered, and it's written by someone from "Information Security" rather than someone from Application Security.

Great point. I'm sure it's easier to compromise a developer or sysadmin and use that to jump onto the production system, rather than going straight at the main app.

Issue is that you don't know which of the tens of thousands of internal IP addresses would correspond to the one or two sysadmins who would have production access.

Which means either the production servers were hacked or there was a widespread compromise of their internal network and systems e.g. email, IM.

I'm sure more than 2 people at twitter have production access.

And identifying the senior staff isn't probably that hard, they probably have quite visible twitter accounts.

As someone mentioned in a completely different thread, it'd be enough to have a vulnerable rails running on localhost:3000 on your laptop and "accidentally" being hit with a CSRF, for example.

Get a shell on some staffers laptop and stay dormant, I'm sure you'll catch a live ssh session soon enough [with access to that ssh client's process memory] (in fact you'd get quite far just with a copy of the id_rsa + known_hosts files)

Yea you really only need the contents of ~/.ssh and you could access every server the laptop could.

Even if they didn't have production access, a lot of times servers are configured to easily hop from one to another. They could have connected to a development server and then just hopped to the DB server with the accounts it seems they were looking for.

That's why you should use ssh-agent and protect your private key with a passphrase.

It's useful, but if an attacker got a shell on the dev laptop, I assume he could just coredump the ssh-agent process and steal the unlocked key from there.

I sincerely hope Twitter would know better than to leave those vulnerabilities exposed on any Rails code they're still using. Also, that probably wouldn't count as a "sophisticated" attack in their book...

Attacks are always described as sophisticated in press releases. What do you expect them to say? We were asleep at the wheel and got owned by someone pointing Metasploit on our servers?

from their blog it sounds like it was a java spearfish attack

also java just did a release and are claiming one of the issues was being exploited in the wild: http://www.oracle.com/technetwork/topics/security/javacpufeb...

I’m collecting Twitter IDs that were hacked to determine if there is a pattern, please contribute: https://docs.google.com/forms/d/1vCRluBxNGlMs9WFh1bFtOfLYqrD...

Here's the results: https://docs.google.com/spreadsheet/oimg?key=0AmwLhnBvBBD7dF...

Of course, that potentially means that 250,000 user accounts were also compromised on Facebook, Pinterest, Instagram, GMail, Yahoo Mail, Hotmail, et al. If you aren't using a different password for every service or are using only a derivative of a master password (eg. hunter2@twitter, hunter2@gmail, etc), CHANGE YOUR PASSWORD on all services using the same email address (or derivatives) as your Twitter account. Setup 1Password.

If only the salt and the hash were stolen as is being stated, and you used secure (read, non-dictionary-word-derived strings) you're probably okay even if you reused passwords.

But you shouldn't be reusing passwords anyway, of course, so go change them regardless.

And while you're at it, setup two-factor authentication on your Google account. It's a PITA, but much less of a pain than trying to get your account back.

You know, I've had this going on all four of my Gmail/Google accounts (!) for well over a year now, and I still think it's totally worth it. It's not really a pain, and I can sleep better because of it.

Yeah, I used to think it was a pain, but once I realized my email is a single point of failure it was completely worth it.

twitter passwords were salted and hashed.

Yeah, big deal; assume it's known. Change it; change any other service with something "identical." Of course, if you are smart enough to know the implications of both a strong password and salting and not using the same password, you can make your own decision, but if you are at that point, why not change it regardless?

Did any one get any stranger followers before or after the twitter warning/password reset?

Not sure if this is a coincidence but i got a follower at 3am today then the twitter warning. the follower is legit but i can't make a connection/context as to why they would follow me. After i did a pswd reset i get another follower who i known for years in business but now wonder if these coincidences are related. this all reminds me of that twilight zone episode on Maple St where the aliens fiddle with the lights and the whole town goes paranoid bonkers :-)

They need to make public the details. How was it done? They left that out of the announcement. You guys know better public disclose of hacking techniques prepares much less tech savvy (about everyone) that twitter website operators can prepare and protect themselves.

Please consider signing.. https://www.change.org/petitions/twitter-com-release-the-det...

There is a hack/virus where your account gets hijacked and messages are sent to your contacts with wording like "I found this pic of you" or "and embarrassing photo of you!"... and anyone who clicks is themselves hacked.

Thing is... this spammy virus has been around for a WHOLE YEAR

It's AMAZING Twitter hasn't analysed those messages by now and worked out a way to detect them

Especially because the account spams rapidly until you reach your message limit.....

WTF Twitter?!

Why the fuck is it 2013 and Twitter doesn't support two factor auth?

I assume if they did then it would only be the accounts who don't use it who were compromised? I.e. probably about 245,000 accounts.

Yes, but the important accounts would be more likely to use it, as well as those more likely to be targets.

I made a spreadsheet of 53 victims I found. It seems the defining trait is that the account was opened in 2007. There was like one or two from 2006 and one from 2012 but that one may be spurious. Also, almost everyone on the list unambiguously owns an iPhone, but that may just be a coincidence owing to popularity and my sample being inherently weighted to English-speakers. Only found one non-English user I was confident was saying they got the email.


If anyone wants to take those usernames and write their own script to divine some knowledge from the API, feel free

Performing a "forced-reset" on waves of accounts is a pretty effective way of eliminating 'anonymous' accounts no longer linked to a valid email. I bet a decent number of users were permanently locked out of their accounts.

Time to advocate for a truly decentralized version of Twitter :)

Not that I'm against a decentralised Twitter, but wouldn't that increase the attack vector?

If you have many different implementations running on thousands of different servers, it makes taking down the whole thing much more difficult.

I have a mid-four-digit user name and I have received three emails in the last 24 hours from Twitter telling me that my password has been reset. Disturbing.

It would be nice to know how well-protected the passwords were. (Were the salts also accessed? How were the passwords hashed?)

No reset requests for me on the following account numbers:

I had no idea I had so many accounts until I searched my email.

I received this same mail earlier. Very glad that I have a policy of strong random passwords for each site. Not affiliated with them other than being a user, but I recommend Lastpass + Yubikey for two factor (you can Google Auth as well with Lastpass).

Hmm, I saw this story, changed my account password(s). Then I noticed that I'd already had the email.

The email said that the password had been reset (as in dewitt's post) but I'd just logged in - after the claimed reset - with the old credentials.

That's kinda worrying.

Both my Mac and Android twitter clients are still logged in, and in the e-mail they said that session tickets had been invalidated...

These clients use a different authentication mechanism. Looks like authentication tokens for clients weren't leaked.


I'm at 700k and affected.

~1.9M here, got the email.

I'm a Nov 2006 account and I just got the email - since then I have reset my password to be particularly strong - but it seems it's forcing me to do it again (not that I mind, I use a very strong password stored in LastPass)

Who is telling the truth?

From the email I just got from them:

> Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account.

Sounds like a coincidence, to me

I got both of these emails.

I notice the tweetdeck web (and therefore client) ssl cert has just been revoked...


Very concerning that while my session was terminated in my browser my iPhone and iPad apps are still authenticated. Shouldn't those sessions have been invalidated too?

most apps use xAuth, which means your password isn't sent down the wire except for the very first time you authenticate.

I still killed all my oauth tokens, since they can be replayed

Everything needs to shift to MFA...


Hahah, Jack Dorsey was speaking at my school today. Can't have helped his stage confidence to have this on his mind.

yeap, just got one too. my id is around the 19000s..

Of note, the apps I have allowed access to my account are:

tweetdeck, twitter for android/OSX and instagram.

(if that helps any diagnosis of potential attack vectors)

My account also got hacked, got an email from Twitter.

They should've been salted and hashed !

The passwords were, apparently.

“However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.”

Ruby on Rails, Java, ?=> Twitter.

wonder if it's that notorious ruby/YAML hack

My bet is Chinese govt sponsored hackterrorism

Downvoted your guess because you didn’t even cite the recent trend (which is mentioned in the article) of reported Chinese hackings, and you contribute nothing.

"[W]e encourage all users to take this opportunity to ensure that they are following good password hygiene..."

Wow, that's so insulting. How about you just do your job instead?

Wow, poor precious. Are you likewise insulted when the bank tells you not to keep a written note of your PIN with your card? As obvious as it is to you to ensure good password hygiene, it should be obvious that Twitter has a clear interest in encouraging less informed users doing the same.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact