Dear Twitter User:
As a precautionary security measure, we have reset your Twitter account password. Check your inbox for a separate email from Twitter with instructions on how to reset your password. If you don’t see an email, you can go to this page in our Help Center to request a password reset.
More information is below.
We recently detected an attack on our systems in which the attackers may have had access to limited user information – specifically, your username, email address and an encrypted/salted version of your password (not the actual letters and numbers in your password).
Further information about the attack can be found in this blog post.
Since your password has been reset, your old password will not work when you try to log into Twitter. We strongly encourage you to take this opportunity to select a strong password – at least 10 (but more is better) characters and a mixture of upper and lowercase letters, numbers, and symbols – that you are not using for any other accounts or sites.
Using the same password for multiple online accounts significantly increases your odds of being compromised. For more information about making your Twitter and other Internet accounts more secure, read our Help Center documentation or the FTC’s guide on passwords
This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.
For that reason we felt that it was important to reset your password and publicize this attack while we still gather information. We are also helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.
Twitter BBC news story
A quarter of a million Twitter users have had their accounts hacked in the latest of a string of high-profile internet security breaches.
Twitter’s information security director Bob Lord said about 250,000 users’ passwords had been stolen, as well as usernames, emails and other data.Affected users have had passwords invalidated and have been sent emails informing them. Mr Lord said the attack “was not the work of amateurs”.He said it appeared similar to recent attacks on the New York Times and others.
The US newspaper reported this week that their computer systems had been breached by China-based hackers
Mr Lord said in a blog post Twitter had discovered unauthorised attempts to access data held by the website, including one attack that was identified and stopped moments after it was detected. “This attack was not the work of amateurs, and we do not believe it was an isolated incident,” he wrote.
Mr Lord did not say who had carried out the attack, but added: “The attackers were extremely sophisticated, and we believe other companies and organisations have also been recently similarly attacked.”
“For that reason we felt that it was important to publicise this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the internet safer for all users.”
Internet security specialist Graham Cluley warned Twitter’s announcement that emails would be sent to users may prompt a spate of spam emails “phishing” for sensitive information. He says people should be cautious about opening emails which appear to be from Twitter.
“You have to be careful if you get hold of one of these emails because, of course, it could equally be a phishing attack – it could be someone pretending to be Twitter. “So, log into the Twitter site as normal and try and log in to your account and, if there’s a problem, that’s when you actually have to try and reset your password.”
Philip Hampsheir Business reporter
The biggest worry for most of Twitter’s 200 million active users is not this attack per se, but the additional new “phishing” scams the attack has already inspired. Since Twitter users now know to be on the lookout for emails asking them to change their passwords, criminals are sending out very similar messages.If users click on the links in those they risk – once again – having their account hacked.
Don’t click on links in emails asking you to change your password.Go directly to the web site, log in normally, and change it using the instructions without clicking on email links.