Twitter said on Friday that hackers, in the latest
online attack, may have gained access to information on a quarter of a
million of its more than 200 million active users.
The
social media giant said in a blog posting that earlier this week it
detected attempts to gain access to its user data. It shut down one
attack moments after it was detected.
But it
discovered that the attackers may have gained access to usernames, email
addresses and encrypted passwords belonging to 250,000 users. Twitter
has reset the pilfered passwords and sent emails advising users that
they’ll have to create a new one.
“This attack was
not the work of amateurs, and we do not believe it was an isolated
incident. The attackers were extremely sophisticated, and we believe
other companies and organizations have also been recently similarly
attacked,” the blog said. “For that reason we felt that it was important
to publicize this attack while we still gather information, and we are
helping government and federal law enforcement in their effort to find
and prosecute these attackers to make the Internet safer for all users.”
The
hack is the latest high-profile cyber-attack on U.S. media and
technology companies recently. The New York Times and The Wall Street
Journal reported this week that their computer systems had been
infiltrated by China-based hackers.
One expert said
that the Twitter hack probably happened after an employee’s home or work
computer was compromised through a vulnerability in Java, a
commonly-used computing language whose weaknesses have been well
publicized.
Ashkan Soltani, an independent privacy
and security researcher, said such a move would give attackers “a
toehold” in Twitter’s internal network, potentially allowing them either
to sniff out user information as it travelled across the company’s
system or break into specific areas, such as the authentication servers
that process users’ passwords.
In a telephone
interview on Friday, Mr. Soltani said that the relatively limited number
of users affected suggested either that attackers weren’t on the
network long or that they were only able to compromise a subset of the
company’s servers.
Twitter is generally used to
broadcast messages to the public, so the hacking might not immediately
have yielded any important secrets. But the stolen credentials could be
used to eavesdrop on private messages or track which Internet address a
user is posting from.
That might be useful, for example, for an authoritarian regime trying to keep tabs on a journalist’s movements.
“More
realistically, someone could use that as an entry point into another
service,” Mr. Soltani said, noting that since few people bother using
different passwords for different services, a password stolen from
Twitter might be just as handy for reading a journalist’s emails.
No comments:
Post a Comment