Twitter engineers shut down what they described as an "extremely sophisticated" hack attack on its network that exposed the cryptographically protected password data and login tokens for 250,000 users. In a blog post published late Friday afternoon
, company officials said affected passwords and tokens have been reset and e-mails are in the process of being sent out to affected users. Twitter said it discovered the breach “earlier this week” and shut it down moments later.
"This attack was not the work of amateurs, and we do not believe it was an isolated incident," Bob Lord, Twitter's director of information security, wrote. "The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked." Lord also mentioned recent attacks on Oracle's Java software framework for browsers, although he didn't explain what it had to do with the attack on Twitter. He urged users to disable Java on their computers
Because Twitter has reset user passwords and session tokens, there's reason for optimism that most Twitter accounts will remain safe. But users who used the same password for other online accounts remain at risk. While bcrypt is among the best hashing algorithms available, its use merely slows down the cracking process. Because the breach also exposed Twitter users' e-mail addresses, cracked passwords could be used to compromise accounts on Facebook, LinkedIn, or any number of other sites, if those accounts use the same passcode.