Something’s Amiss On the Twitters this Evening – 250K Emails/Passwords Exposed

So I was having a nice relaxing Friday evening when I happened to check my email. And what should I find in my mailbox … but a nice little message from Twitter. It noted that my account may have been hacked and that I needed to reset my password. Wonder if this just another case of “me too” followed up by the recent big-media New York Times and Wall Street Journal hacks earlier this week?

Hi, grecs

Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We’ve reset your password to prevent others from accessing your account.

You’ll need to create a new password for your Twitter account. You can select a new password at this link: https://scrubbed.for.your.protection.com

As always, you can also request a new password from our password-resend page: https://twitter.com/account/resend_password

Please don’t reuse your old password and be sure to choose a strong password (such as one with a combination of letters, numbers, and symbols).

In general, be sure to:

  • Always check that your browser’s address bar is on a https://twitter.com website before entering your password. Phishing sites often look just like Twitter, so check the URL before entering your login information!
  • Avoid using websites or services that promise to get you lots of followers. These sites have been known to send spam updates and damage user accounts.
  • Review your approved connections on your Applications page at https://twitter.com/settings/applications. If you see any applications that you don’t recognize, click the Revoke Access button.

For more information, visit our help page for hacked or compromised accounts.

The Twitter Team

I pinged the twitters (ironically) and it seems others also received the same message. Here are some helpful responses and links I received.

grecs: Did Twitter just get hacked? Got an email asking me to reset my password… Anyone else?

oncee: @grecs I got it too.

evejou: @grecs “As a precautionary security measure, we have reset passwords and revoked session tokens for these…” http://t.co/YlRgqyj3

synackpwn: @grecs was a breach, check out the @safety account

elwing: @grecs @jasonjfrank not my account, but there are details on their blog. Got salted passwords for about 250k accounts

c0ncealed: RT @SecMash: Twitter Hacked; Company Says 250k Users May Have Been Affected http://t.co/jKEzOBAy #InfoSec cc: @oncee @grecs

For the official word … we need to head over to Twitter’s blog post ironically titled “Keeping Our Users Secure.” In this article they state attackers may have had access to “usernames, email addresses, session tokens and encrypted/salted versions of passwords” for over 250,000 accounts. Of course throughout the post they seem to be shifting blame toward users with weak passwords and “extremely sophisticated” attackers. To a certain extent, however, they have a point though perhaps the focus should be on their employees rather than their users.

Just a few predictions…

Related to the “extremely sophisticated” bit, the attack will have been nothing more than a simple phishing email with a malicious attachment or link to a malware-laden website. Some poor Twitter employee fell for it – there’s always someone in every organization – and from there the attackers established a beachhead from which to mount an attack against the rest of the Twitter infrastructure.

From the breached machine, the attackers grabbed the hashed credentials from the local workstation and attempted to crack them. With permissions of that compromised user, hashes they could “pass,” and the cracked passwords, they progressed into other areas of the Twitter infrastructure and at some point discovered an old backup of “usernames, email addresses, session tokens and encrypted/salted versions of passwords.”

The attackers next migrated the old backup and any other data they discovered back to the beachhead they had established. There they rarred up all the contents into several password protected compressed files, and exfiltrated them back through a series of  compromised New York Times, Wall Street Journal, and other hosts they had pivoted through … and finally back to … duh duh duh … China. And of course this will all be confirmed through an excruciatingly detailed Mandiant report that probably most of us will never see…

Also phishers will take advantage of this breach by sending emails claiming to be Twitter with instructions related to this incident. Click on that link or open that attachment and your organization may be the next company to make the headlines…

#####

What’s your prediction for how the attack played out? Let us know in the comments below. Today’s post pic is from BartVPN.com. See ya!

5 comments for “Something’s Amiss On the Twitters this Evening – 250K Emails/Passwords Exposed

  1. February 1, 2013 at 8:13 pm

    #NOVABLOGGER: Something Is Amiss On the Twitters this Evening http://t.co/GE0O1NIV http://t.co/IntXkFbO

  2. February 1, 2013 at 8:56 pm

    #Cybersecurity Something Is Amiss On the Twitters this Evening http://t.co/85a466zI #ITsecurity #Infosec

  3. February 1, 2013 at 10:04 pm

    @DarthNull @jasonmoliver @Wh1t3Rabbit More info on our blog… http://t.co/oohXXJXG

  4. February 1, 2013 at 11:31 pm

    Something’s Amiss On the Twitters this Evening – 250K Emails/Passwords Exposed http://t.co/GE0O1NIV

  5. February 2, 2013 at 11:19 am

    Predictions re 250K Twitter Emails/Password.. with a prediction. http://t.co/GE0O1NIV

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.