My Twitter Password Was Compromised Again

Feb 4, 2013 • 8:12 am | comments (5) by twitter Google+ | Filed Under Other Search Topics
 

Twitter PasswordOn Friday night, hundreds of thousands of Twitter users had their passwords compromised, where Twitter had to send out password reset notifications to 250,000 users. That includes my Twitter account @rustybrick.

It wasn't the first time and I am one of those paranoid password people that won't click on links from emails or considers almost all emails to be suspicious. Twitter explained that this attack wasn't user's fault, they said:

This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.

As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts. If your account was one of them, you will have recently received (or will shortly) an email from us at the address associated with your Twitter account notifying you that you will need to create a new password. Your old password will not work when you try to log in to Twitter.

It is just crazy how passwords these days are simply not secure. Personally, I think every site should offer a two-factor authentication option. Although, it isn't always cheap for the site owner and easy for the end user to use. I am boggled why my bank doesn't offer two-factor but whatever.

A WebmasterWorld thread has one user saying the passwords have yet to be leaked to Torrent sites yet. Maybe in time or maybe it was a bit beyond Torrent level hacking?

Note, if you use that password on other sites, you probably want to change that password everywhere.

Forum discussion at WebmasterWorld.

Previous story: Daily Search Forum Recap: February 1, 2013
 

Comments:

Alistair Lattimore

02/04/2013 01:28 pm

Barry, Are you using different, randomly generated passwords for different sites? I started using LastPass last year and while I thought I did a pretty good job of using a good array of passwords depending on the type of website or how important it was to me; LastPass completely shattered that misconception. Since installing it, I've been systematically going through all of my accounts and setting a randomly generated 10+ character password. I then use LastPass to either log me into the website when needed or I specifically login to LastPass to retrieve my password for sites that I don't allow automatic login for. Al.

Gridlock

02/04/2013 02:59 pm

2-factor authentication would have done nothing here. The db was lifted.

keaner

02/04/2013 11:05 pm

having the db is useless as the post says, the password were salted and encrypted. Good luck. If they were only encrypted with sha1 or md5 etc it would be easier to get them, but combined with salt it almost useless to them.

Barry Schwartz

02/04/2013 11:08 pm

Yep.

parth Shah

02/06/2013 05:08 am

Yah for this we have reset passwords and revoked session tokens for twitter.

blog comments powered by Disqus