The micro-blogging company has provided very little information on the incident, but acted quickly by resetting the affected users’ passwords and revoking all active session tokens. It said in Friday's blog posting it had detected “unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data,” and that it subsequently detected a live attack which it shut down. It added, “This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.”
The lack of specific information has led commentators to seek further clues in what Twitter did and did not say. Twitter did not mention ‘China’, but did reference the recent New York Times and Wall Street Journal hacks which did accuse China. The Examiner makes the connection: “All fingers point to Chinese hackers penetrating their computer systems.” But it could just as easily be suggested that Twitter’s comment, “we are helping government and federal law enforcement in their effort to find and prosecute these attackers” could hardly refer to prosecuting the Chinese government. The fact is, it is not yet clear who is behind the hack.
Nor is it stated how it was done. Nevertheless, there is an oblique reference to Java exploits. “We also echo the advisory from the U.S. Department of Homeland Security and security experts to encourage users to disable Java in their browsers.” The original entry says ‘on their computers’, which is then amended to ‘in their browsers’ in line with the CERT Vulnerability Note VU#625617. Is this a hint at how Twitter was compromised – perhaps targeted spear-phishing sending an employee to a site that compromised a computer via a Java browser exploit with malware that ultimately stole the database? Or is it just good advice?
One thing has emerged, however. Commenters to the ArsTechnica report noted that compromised Twitter accounts all seemed to be ‘early adopters.’ “Interestingly,” commented Panther Modern, “a great number of persons reporting they were affected also happen to be early-adopters of Twitter (and presumably with low-digit account numbers). It appears (on the surface anyway) that the data was accessed in-order of account creation date.” This has led to speculation that the hacker/s did a simple database dump, and “maybe default sort was ID ascending.”
Little will be known until Twitter releases more information. All that is known so far is that a sophisticated hack might have led to the loss of around 250,000 user details. Those users have or are being notified (but have had their existing passwords arbitrarily reset by Twitter), and all users are being advised “to take this opportunity to ensure that they are following good password hygiene, on Twitter and elsewhere on the Internet... Using the same password for multiple online accounts significantly increases your odds of being compromised.”