Note: This is a guest post written by Sheine Austria
Twitter says, it was hacked. The company says usernames, email addresses, and some passwords of about a quarter of a million people have been stolen due to a sophisticated attack.
This week, the Wall Street Journal and the New York Times have brought this alarming news!
The popular social media network, Twitter, published a blog post entitled, Keeping our users secure. The article goes on to say that Twitter has “reset passwords and revoked session tokens” for the accounts that they believe were compromised because of the attack.
For those who may not know, a session token is a one-off cryptographic cookie that a browser submits to Twitter every time it is revisited, when logging in. The purpose of this is so that you do not need to enter your username and passwords over and over again.
In theory, a hacker who steals your session token can take over your account, at least until your next log off.
By rejecting your session token unilateral, Twitter will only cause you minor patience issues, because you will have to type in your password again, at every session. On the other hand, this will cause a major problem for any session hijacker, who will be unable to enter your password to get back into your account.
Twitter also advised turning off Java in your browser. But there really wasn’t any confirmation as to whether the activation of Java in your browser had anything to do with the hacking of the Twitter network. This is just another “just to be safe” advice from them.
The folks at Twitter are also looking at the possibility of a client-side vulnerability as being a catalyst of their headaches, but still again, there are no confirmations on whether this is a strong case. As most may know, a few years ago, Twitter had this problem when one of their staff chose a shabby password. But looking forward, it is difficult to see how vulnerabilities on your client could lead to a server-sided database compromise.
Among other users, there are certain questions that need to be addressed. Like how did they get in? Why was it undetected for a very long time? Is a quarter of a million users the correct estimate, or is there more accounts compromised than this number? But more importantly, are usernames, emails and passwords the only things that the hackers got out of this?
Right now, Twitter is really open about this incident, and their investigations on this matter continues. So, it seems that users may have to take their advice at face value. If you feel insecure about your Twitter account, change your password as often as possible, and avoid using your Twitter account at places or devices that may seem unsafe. Easily guessed or short passwords must be avoided. Simply put, Longer, complex passwords are harder to crack from their hashesHackers had no problem getting a quarter of a million account details, and surely, your birthday as your password would just be a walk in the park for them.
Twitter has mentioned the possibility of Java being a proponent to the attack, so it would be best the just follow their advice and turn off Java when you aren’t using it. A good rule of thumb would be, to not leave your account logged in when you are not using it. Remember, regular logouts mean your session cookies are valid for shorter periods.
Anyway, let’s just hope that Twitter bounces back from this one, and have upped the ante when it comes to their security. Right now, users will have to be more vigilant in protecting their accounts.
Note: This guest post was written by Sheine Austria, a free Lance Web Designer