Around 250,000 people have had their passwords reset after ‘sophisticated’ hackers broke into Twitter’s database and may have stolen emails and encrypted passwords. Here’s a guide on what you need to know
Q: how can I find out if I have been affected?
Go to a web browser, go to twitter.com, log out (if you’re logged in) and try to log in with your usual password. If you can’t log in – it will say there’s a problem with your username or password – then you’ve been affected.
(Deletion because Paul Lomax points out that web access will have been revoked if you were affected. See below.)
Q: I can’t check that just now. Am I likely to have been affected?
Only if you joined Twitter roughly in the first half of 2007. At that time it had a few million users. People (including myself) who joined in May 2007 have been affected. If you can’t remember when you joined Twitter, you can find out your “Twitter birthday” for yourself or any other user (it’s not private data).
Most people joined well after mid-2007, so on that basis you’re unlikely to have been affected.
Q: I can’t see an email from Twitter, and I can still post from Tweetdeck and other third-party clients – I haven’t tried the website. This means I’m OK, doesn’t it?
Not necessarily. The email from Twitter may have been filtered into your spam folder (users of Google’s Gmail should specifically look in their Spam folder; a search in the Gmail function won’t look at spam messages – and Twitter’s reset message to a Gmail account I use was filtered as spam.
The reason why third-party clients will still let you tweet is that Twitter doesn’t let them use your password. Instead, it uses “tokens” which are issued to the third-party programs, and authorise them to send tweets to Twitter’s database for redistribution to followers. The tokens weren’t revoked as part of the password reset; doing that would have meant that you’d have had to re-authorise all your apps, and for some apps Twitter has only made a limited number of tokens available. So that would have hurt both users and app developers.
Q: What did the hackers get?
Twitter says “our investigation has thus far indicated that the attackers may have had access to “limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords.” Session IDs are used for web visits, rather than third-party applications.
Update: Twitter has asked us to point out the emphasis on the point that hackers “may” have had that access: “it’s not 100% certain that they did. We reset passwords as a precautionary measure,” a spokesperson told the Guardian.
Q: What has Twitter done about it?
It has revoked the session tokens – so web-based services for those accounts (such as the Twitter.com website – see Paul Lomax comment) won’t work – and reset the passwords, so even if the hackers can crack the encryption, the passwords won’t work.
Q: Why did they go after the early adopters of Twitter?
Probably they didn’t, directly. Chris Applegate speculates that the method by which the hack was done gave the attackers access to its database, and forced it to list the user details – but they were by default provided in ascending order – that is, from user No.1 upwards. That means that Twitter’s founders such as Biz Stone, Jack Dorsey and Evan Williams have almost certainly been affected.
Q: What were they after?
What most hackers are after – access to accounts. There’s no indication yet of what group or individual might have been behind it, but getting secret access to accounts is always useful to hackers: it lets them watch people, or masquerade as others and send poisoned links via direct message to get control of more accounts.
Plus, some people use the same password for their Twitter account as their email account, and other accounts (a very bad move) which could mean, if the hackers are able to crack the encryption around the passwords, that they would be able to get access to huge numbers of email accounts, which would mean escalating problems for those people.
Always, always, use different passwords for important accounts; and don’t chain together your email accounts (so that a password reset in one is sent to another more vulnerable one).
Twitter’s advice on passwords: “Make sure you use a strong password – at least 10 (but more is better) characters and a mixture of upper- and lowercase letters, numbers, and symbols – that you are not using for any other accounts or sites. Using the same password for multiple online accounts significantly increases your odds of being compromised. If you are not using good password hygiene, take a moment now to change your Twitter passwords.”
Q: How was it done?
Twitter isn’t saying; its blogpost about the attack says only that it saw “unusual access”. That means that the hackers were probing its database via the Twitter access method, and found a way to crack its usual safeguards.
It may be connected to the outage that Twitter suffered on Thursday, though the company hasn’t said.
Twitter is saying that “This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.”
That implies that this could be part of a pattern in which a number of media organisations – including the New York Times, Wall Street Journal, and – according to some reports – the Washington Post have been attacked by Chinese hackers. With people such as the Dalai Lama on Twitter, it’s possible that this was an attempt to find out what important messages were being passed between such members.
