Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Twitter Confirms Compromise of Approximately 250,000 Users

Published: 2013-02-02
Last Updated: 2013-02-02 02:22:50 UTC
by Kevin Liston (Version: 1)
0 comment(s)

When I started my shift I was thinking of writing about how it's important to log out of things like Facebook, Gmail, etc. whenever you're not using them.  Then my twitter feed lit up with links to this announcement: http://blog.twitter.com/2013/02/keeping-our-users-secure.html

There are a lot of distractions in the post: references to the New York Times and Wall Street Journal announcement of a compromise, and a warning about updating the java in your browser.  While the NYT/WSJ hack is news worthy and updating your browser's java (or uninstalling it) is a "really good idea"(tm) neither are related to the Twitter incident.  The important bit that you need to look at is this: "investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users."  That's a system-penetration, and while they continue their investigation (which is going to take long time,) they are containing the incident by invalidating session tokens and issuing password resets.

It's good that they share the scope of what was exposed and point out that it was session tokens and encrypted/salted passwords.  It's good news they even use the term salt.

If you have received a password reset message, then you should probably do the following: log out of every one of your mobile apps that interacts with twitter.  From within the web interface of twitter, click on the Settings/gear icon and click on settings.  Click on Apps and it will show you what apps are authenticated and you can revoke access.  See any there you don't recognize?  I was a bit surprised to see a TweetDeck still active from 10-FEB-2012 that had permissions to read, write and direct messages.  Then log out of twitter and follow their instructions to reset your password.  Try to not do this from a shared system or on a public or hotel wifi if you can avoid it.

In general, log out of things.  Log out of linkedin, and foursquare, and facebook, and twitter when you're not using them.  Staying authenticated to gmail or yahoo mail is why your webmail account starts sending out pharmaceutical spam when you happen upon someone's hacked wordpress site.

Keywords: Twitter
0 comment(s)
Diary Archives