Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account.
You'll need to create a new password for your Twitter account. You can select a new password at this link: ***
As always, you can also request a new password from our password-resend page: https://twitter.com/account/resend_password
Please don't reuse your old password and be sure to choose a strong password (such as one with a combination of letters, numbers, and symbols).
In general, be sure to:
Always check that your browser's address bar is on a https://twitter.com website before entering your password. Phishing sites often look just like Twitter, so check the URL before entering your login information!
Avoid using websites or services that promise to get you lots of followers. These sites have been known to send spam updates and damage user accounts.
Review your approved connections on your Applications page at https://twitter.com/settings/applications. If you see any applications that you don't recognize, click the Revoke Access button.
For more information, visit our help page for hacked or compromised accounts.
The Twitter Team
I just got a second 'Twitter Password Reset' email with more explanatory information now, almost two and a half hours after the first.
random_char = '1' # chosen by fair dice, guaranteed random
return random_char * n
It sounds like at this point Twitter sent out the email in parallel with trying to figure out how these compromises happen. Since they salt the hashed passwords, they don't know how complex your password was. Of course, you should still change your password. I changed my 80-bit Linkedin password after it was stolen.
I think there are risks with all solutions to the password problem.
Creation date: March 2007
User ID: 2,7xx,xxx
Edit: I wonder if the bad guys were able to access private Direct Messages, too. There's always talk about resetting passwords, but nobody ever mentions all the other confidential data that might be pastebin'ed later.
This attack was not the work of amateurs, and we
do not believe it was an isolated incident. The
attackers were extremely sophisticated, and we
believe other companies and organizations have
also been recently similarly attacked.
There are moderate numbers of people who use Twitter for online activism. That would point more to Syria or Iran or another Middle Eastern country, since Twitter is more popular there than in China or the Chinese language.
Pretty clearly this was the work of governments e.g. China, Iran who are trying to find out more about political dissidents or the sources of leaks. They are the only ones who would use lucrative exploits against Twitter, NYT, WSJ etc.
Pretty interesting if you ask me, is it likely the use would sick the best hackers at the NSA if top secret information was being leaked on the bizzaro world's Chinese Twitter? It almost sounds like the prologue to the worlds first CyberWar.
Wow, finally a breach where the hackers DIDN'T make off with all of our passwords in plain-text. Kudos to Twitter for actually handling passwords properly, considering the eventuality that all websites are vulnerable to attack.
I remember a time when many people assumed md5("notreallysalt"+password) was a good practice, and twitter is old.
- People's accounts might have been compromised earlier "this week" and they could have used that extra warning time to make sure the damage didn't spread to their other online accounts.
- People who might have been compromised are now less likely to see the announcement, so if anything is compromised there's less chance they will react to mitigate damages.
Great for PR, horrible for their users.
They'll likely be doing forensics for months after this, so alerting the public a few days in to the investigation is actually pretty good.
What you should be concerned about is all of the companies who got owned in this campaign and will not be confessing. This is big, and a few more companies will admit it early, a few will sneak vague statements in their SEC disclosures, and a few will cover it up completely.
And anyone whose account has been compromised has received an email, a far more likely way of seeing the message than relying on everybody to occasionally check Twitter's blog for news.
EDIT: It'd be great if anyone willing to downvote would explain why it's OK for Twitter to title a notice involving a breach of security resulting in the exposure of 250,000 records containing sensitive information, "Keeping our users secure". Because it really kind of pisses me off when I read it.
EDIT, EDIT: Highest karma volatility (up, down, up, up down, etc) of any comment I've ever posted on Hacker News. I really am genuinely interested in counter points.
Let's all take a deep breath and remember: It's. Just. Twitter.
It's just twitter.
1) There is no evidence that all of the records were compromised. So Twitter is keeping users secure by proactively resetting passwords.
2) People need to get over this Friday afternoon release. Twitter is a global company so it's not Friday everywhere and regardless it could purely be coincidental.
You're right. In some places it's the middle of the night, and in some places it's Saturday morning... prime time for a press release.
Security is tough. Really, really tough. I'm not here to crucify them for the breach, but the title glosses over the event in a way that is disingenuous at best. When you border on dishonesty with your title, people begin to question your motives.
I'm not upset, it sounds like they detected it quickly and went out of their way to make sure everyone was not only notified but ensured that their account was safe. 250k users is a very small number of their accounts. A literal drop in the bucket. It sounds to me that they're going after the hackers and I appreciate that.
Was your account compromised?
The break-in didn't Dick Nixon, the cover-up dicked Nixon
Yes i know this is "naive" thinking, but i also think its the kind of thinking that can change a company for the better. Would it be easy? No. But in the end it its use the users that have to not think so critically of these "political pitfalls"(my words). Hacking happens, time and time again this stuff happens. If twitter(or another company) took measures to protector there users and didn't do something completely stupid like keeping plain text info, we should all just take what happened for what it is and move on. With these situations coming more and more common we are going to have to do this anyways.
Maybe the "bad" people involved in the attack figured if they got away with it less people would be looking on a weekend so they could get further.
Just saying... it's easy to assume "big" companies do what's best for them aways... but really they're just a bunch of people trying in most cases to do the right thing. So, before you click "fire" on that enter key... think about it.. there are people on the receiving end... probably a lot like you.
With incident response for an active service. Priority one is segregation and mitigation, priority zed is writing a blog post about it.
Not that I disagree with you but it's not exactly as if Twitter was a role-model of security on this one...
Google used a combination of kerberos, SSH public key auth, client-side SSL certs, and a custom crypto system called Low Overhead Authentication System (LOAS), all of which utilize zero-knowledge proofs rather than sending passwords to the server. Google still got compromised, using a (0day?) Adobe Reader exploit sent via impersonating a co-worker on AIM or MSN Messenger (as I remember).
Let's leave the jury out on this one until we find out what happened.
Also, they don't even allow the codenames of various parts of their infrastructure to be leaked, much less how the parts relate and how they're protected.
I'd really like to see LOAS open-sourced. I imagine that, like Kerberos, it's based on Needham-Schroeder, but I've never seen its source code or any design documentation.
For those deep in the trenches, is there a good resource for getting started for those technically inclined/interested in learning more? Presumably there are basic things like proper firewalls and MFA, but also more advanced things like pattern/anomaly detecting IDS's or traffic monitoring tools?
On the user side, are there smarter ways for detecting when your system is RAT infested (seems like a IDS running on your laptop should be able to notify you if you're system is sending out a new VNC/IRC connection...)
Back when I was more into system/network security, the open source tools (Tripwire, AIDE, Snort) were all ... rather manual/labor intensive. Have things evolved as the sheer amount of attacks/attack vectors have increased?
I got a similar message several months back, but that wasn't part of a larger leak; apparently some website I'd used a while ago had been compromised and I was using my throwaway password on Twitter at the time. Suffice to say, it's using a real one now - fifty-some-odd characters of random garbage generated and stored by 1Password. It's never been used anywhere else, so getting this email a second time just now was quite a shock (this time, my reaction was "really guys, again?" rather than "wtf?")
To their credit, they caught the first instance crazy-fast (my password had been reset automatically within about five mintes of a rogue tweet, though not before a friend texted me about it). This time I didn't see any activity at all, so I assume it was more proactive.
I'd still like an MFA option, especially with how infrequently I actually log in to twitter. However, I do like the "check your OAuth grants" page you're taken to after changing your password.
edit: The attacker got salted password hashes. That explains it.
The blog post mentions turning off Java in your browser, which could be a clue to the attack vector Twitter suffered, and it's written by someone from "Information Security" rather than someone from Application Security.
Which means either the production servers were hacked or there was a widespread compromise of their internal network and systems e.g. email, IM.
And identifying the senior staff isn't probably that hard, they probably have quite visible twitter accounts.
As someone mentioned in a completely different thread, it'd be enough to have a vulnerable rails running on localhost:3000 on your laptop and "accidentally" being hit with a CSRF, for example.
Get a shell on some staffers laptop and stay dormant, I'm sure you'll catch a live ssh session soon enough [with access to that ssh client's process memory] (in fact you'd get quite far just with a copy of the id_rsa + known_hosts files)
Even if they didn't have production access, a lot of times servers are configured to easily hop from one to another. They could have connected to a development server and then just hopped to the DB server with the accounts it seems they were looking for.
Here's the results: https://docs.google.com/spreadsheet/oimg?key=0AmwLhnBvBBD7dF...
But you shouldn't be reusing passwords anyway, of course, so go change them regardless.
Not sure if this is a coincidence but i got a follower at 3am today then the twitter warning. the follower is legit but i can't make a connection/context as to why they would follow me. After i did a pswd reset i get another follower who i known for years in business but now wonder if these coincidences are related. this all reminds me of that twilight zone episode on Maple St where the aliens fiddle with the lights and the whole town goes paranoid bonkers :-)
Please consider signing..
Thing is... this spammy virus has been around for a WHOLE YEAR
It's AMAZING Twitter hasn't analysed those messages by now and worked out a way to detect them
Especially because the account spams rapidly until you reach your message limit.....
If anyone wants to take those usernames and write their own script to divine some knowledge from the API, feel free
The email said that the password had been reset (as in dewitt's post) but I'd just logged in - after the claimed reset - with the old credentials.
That's kinda worrying.
From the email I just got from them:
> Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account.
Of note, the apps I have allowed access to my account are:
tweetdeck, twitter for android/OSX and instagram.
(if that helps any diagnosis of potential attack vectors)
“However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.”
Wow, that's so insulting. How about you just do your job instead?