Bob Lord, director of information security at Twitter, today published a post on the social network's official blog informing users that roughly 250,000 accounts have been hacked. The data stolen from these accounts includes email addresses, encrypted passwords, session tokens, and usernames. Twitter says that this is all "limited information" for the hacker, but even encrypted data can easily be broken, especially if the intruder gained access to it in the first place.
To assist the affected users, Twitter has issued password reset emails and canceled all session tokens. This will ensure that the hacker does not continue to fiddle with the accounts, though some of the damage may already have been done. For instance, now that the hacker knows the emails of the users, he can continue to wreak havoc on their digital lives using that as a key to other vulnerable websites and services.
Twitter wants to make sure that the average user understands this incident can be used as a learning tool. Bob Lord explains that this is another reason for the average user to use a stronger password. "The attack was not the work of amateurs," said Lord, "and we do not believe it was an isolated incident." Twitter wished to make the breach public so that other companies could be on the lookout for a similar event.
The San Francisco, Calif-based company does not take this hacking affair into much detail and also doesn't give a clear reason why it occurred. Was it a flaw on Twitter's side or did a quarter of a million users have very weak passwords? The former is the cynic's choice, but the latter is much more likely based on the information provided.
Other coverage hints that Twitter is not sure how the break-in was permitted. The Verge even reports that a Twitter representative told them "the company doesn't have definitive evidence that the accounts were in fact compromised at this time", also noting that the social network continues to look into matters for the true problem.
Sources: Twitter Blog | The Verge