I’ve been speaking to the media today about the Twitter hack that saw the credentials of around 250,000 users scooped up by cybercriminals.
During the day, the same questions have been cropping up – and I thought it would be useful to briefly cover them here.
What did the hackers steal?
According to a blog post by Twitter, the hackers stole usernames, email addresses, session tokens and salted-and-hashed passwords (which is certainly better news than if they had stolen plaintext passwords).
What could the hackers do with that information?
A few things:
- The hackers could spam the email addresses, pretending to be Twitter and maybe trick you into clicking on a link or opening an attachment. In this way they might steal further information from you.
- They could target specific Twitter users (they now know the email address associated with each of the affected accounts) and craft an email designed to dupe the user in some way – potentially into clicking on a dangerous link or attachment – perhaps pretending to be someone else.
- Using the stolen session token they could, in theory, hijack your account, at least until the you or the hacker next logs off.
- They could attempt to crack the passwords, by setting computers and large dictionaries of commonly used passwords against the problem. If some of the passwords are cracked, the hackers could then attempt to see if the same passwords will also unlock victims’ *other* accounts (such as their email).
Who is behind the hack attack on Twitter?
We don’t know. Twitter has had its internal systems hacked in the past (infamously, for instance, celebrity accounts were hijacked after a Twitter employee was found by hackers to be using an extremely weak password – “happiness”). Normally attacks are against individual accounts with the intention of spreading diet spam or malicious links, rather than against Twitter’s systems themselves.
I’ve heard media reports linking the Twitter hack with the attack on the New York Times and other newspapers that’s been blamed on China. Was it the Chinese who hacked Twitter?
Although Twitter referenced the recent high-profile attacks on newspapers, they haven’t explicitly said that they believe China hacked Twitter or presented any evidence to suggest that.
If Twitter has any information that does point a finger of suspicion towards China (such as if dissident or human rights Twitter accounts were targeted) they haven’t shared that with the media.
How will I know if I am one of the Twitter users who has been affected?
Twitter has emailed affected users, resetting passwords and revoking session tokens. Your old password will no longer allow you into Twitter, and you’ll have to choose another one.
What kind of password should I use?
Always use passwords that are not easy-to-guess or dictionary words. Make it as long as possible, and use a mixture of upper and lower case letters, numbers and special characters.
How am I supposed to remember a password like that?
Here’s a video which explains how to choose a strong password, which is easy to remember but still hard to crack:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
But you say I should have a different password for every website I use… how can I realistically remember all of them?
You can’t. Use password management software like KeePass, 1Password or LastPass. They can hold your passwords securely, and all you have to remember is your master password (make it a good one). Password management software can even generate random, complex passwords for you when you create new accounts.
Couldn’t I just let my browser remember my passwords?
Most modern browsers do offer to save your usernames and passwords for the websites you visit, but I do not recommend it.
Why does Twitter say that I should disable Java in my browser?
Whether your browser is Java-enabled or not has no bearing on whether Twitter (on completely different computers from your own) is capable of being hacked or not. However, we do see frequent web-based attacks exploiting security holes in Java – so, unless you really need it, it might be wise to learn how to turn off Java in your browser.
Think of it as Twitter just trying to be helpful and neighbourly, rather than giving advice specific to this latest attack.
(Of course, it’s always possible that the computers of Twitter employees were infected via a Java vulnerability. But they haven’t owned up to that. Other possible vectors by which Twitter staff might have been hit by malware included boobytrapped Word Documents or PDF files).
How else might take advantage of the Twitter hack?
It’s possible we could see bogus emails spammed out pretending to come from Twitter. Users might be tricked into believing that they are really messages from Twitter telling them that their account was compromised in the hack, and click on links without thinking of the possible consequences. All users need to be on their guard against social engineering tricks like this.
What else should I do?
Read this article by my colleague Paul Ducklin.