Twitter has announced that 250,000 accounts have been hacked in attacks that they say appeared similar to recent attacks on the New York Times and the Wall Street Journal. If the attacks, exposing usernames, encrypted password data, email addresses and session tokens, aren’t bad enough, Twitter’s announcement opens the door for a series of follow-up phishing attacks.
Here’s what to watch out for.
The number of accounts compromised is very small given the number of Twitter users. The main threat come from opportunists taking advantage of the situation. Following the discovery of the attack Twitter announced that they emailed the account holders concerned, opening the door for a potential attack route where fraudsters send emails purporting to come from Twitter, attempting to trick people into handing over their Twitter and other account information.
A second, much less likely, attack could come from a compromised Twitter account. The chances of this are lower as Twitter have said that they’ve identified the accounts concerned and the password data stolen is encrypted.
In either case emails purporting to come from Twitter, carrying links to malicious websites is expected.
If you have a Twitter account the advice is to try and log in to your account and, if there’s a problem, you should then reset your password.
If you receive an email purporting to come from Twitter, perform the step above, or very carefully check that any link in the mail goes to Twitter and not a site pretending to be Twitter. To do this, put your cursor over the link and check the address, which is normally shown in the bottom left of your browser window.
Finally Twitter are advising all users to:
[dacallout type=callout color=light]”take this opportunity to ensure that they are following good password hygiene, on Twitter and elsewhere on the Internet. Make sure you use a strong password – at least 10 (but more is better) characters and a mixture of upper- and lowercase letters, numbers, and symbols – that you are not using for any other accounts or sites. Using the same password for multiple online accounts significantly increases your odds of being compromised. If you are not using good password hygiene, take a moment now to change your Twitter passwords.”[/dacallout]
That’s good advice.