Twitter said today that it recently detected a series of attempts to hack into user data and that the attackers may have successfully absconded with some users' information.
In a blog post this afternoon, Twitter explained the situation and the steps it has taken to fight off the hackers.
This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information -- usernames, e-mail addresses, session tokens, and encrypted/salted versions of passwords -- for approximately 250,000 users.
As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts. If your account was one of them, you will have recently received (or will shortly) an e-mail from us at the address associated with your Twitter account notifying you that you will need to create a new password. Your old password will not work when you try to log in to Twitter.
In an e-mail to affected users (including myself), Twitter wrote that it "believes that your account may have been compromised by a Web site or service not associated with Twitter. We've reset your password to prevent others from accessing your account."
Many people are speculating on Twitter that the affected accounts are all among the service's earliest -- in other words, that they were accounts created in 2006 or 2007, since only owners of accounts that old seem to have received the notice from Twitter. It appears that the hackers behind the attacks had not targeted any specific group, like political dissidents or media organizations.
In its blog post, the company said a very small number of users were affected by the hacking, but it encouraged everyone who uses the service to ensure that they are practicing "good password hygiene, on Twitter and elsewhere on the Internet." Among its suggestions: using unique passwords of at least 10 characters, including a mix of upper- and lowercase letters, numbers, and symbols. Based on attacks on other high-profile tech and media companies, Twitter also said it is recommending the U.S. Department of Homeland Security's recent advisory on disabling Java, among other precautions. Twitter's blog post concludes with the following:
This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.