Twitter has reset the passwords and revoked session tokens of some 250,000 Twitter users following a successful breach of a database containing user data.


The compromise has been revealed by Twitter in a blog post on Friday, and the company is still investigating the matter.

What they do know is that the attack was not the work of amateurs.

"The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked," noted Bob Lord, Twitter Director of Information Security, alluding perhaps to the New York Times and Wall Street Journal breaches mentioned at the top of the post.

"For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users."

The bad news is that the attackers may have had access to user information such as usernames, email addresses, session tokens and encrypted/salted versions of passwords.

The good news is that Twitter actually hashes (encrypts) and salts (adds random digits) to the passwords, making it more difficult for the hackers to crack.

Another bad news is that the attackers probably know that Twitter still uses the bcrypt algorithm to hash passwords, so they know what their dealing with. Still, this hashing algorithm is among the best and most difficult to crack, so Twitter is hoping that the affected users will be able to change their passwords before getting their accounts compromised.

To that end, Twitter has been sending out emails warning affected users of the breach and asking them to reset their passwords. The also advise them - and all users in general - to practice "good password hygiene", i.e. to use long, complex passwords and not to reuse the same ones on multiple accounts.

I would add to this two things: first, be careful if you receive a "breach notification" email from Twitter, as cybercrooks will sure be sending out bogus ones. Be sure to check that the password reset link included in the email points to Twitter's domain.

Second: please change immediately the password for the email address to which the email is sent. The email account is associated with Twitter, and the attackers now know that it is, so they could be trying to break into it, too. Again, use complex and long passwords.

Long is also advising users to disable Java in their browsers. He hasn't specified why, but he does mention Java twice - possibly because it was how the attackers gained access to their systems in the first place?

Kevin Liston over at ISC Diary has a few good tips on what to do if you receive the password reset message, and advice on why logging out of online accounts regularly is a good idea.