Content Discovery Smackdown: Hootsuite vs. Buffer vs. KloutContent Marketing Minds: Ingredients of the Tastiest Content [Nutrition Label]From the Corn Field to the Digital Era: Content Marketing Starts with TrustContent Marketing: Is 2014 Really Shaping Up to Be the Year of Video?
Your Customers Aren’t Listening! How to Create Consumer Dialogue that Converts4 Tools for Nonprofit Social Listening and Reputation ManagementThe Promising Role of Social Listening in Treating Health IssuesThe Importance of Social Listening for Brands
- Public Relations
Facebook Testing a Way for Users to Buy Products on the Platform7 Website Tips to Attract More Shoppers to Your PagesHow eCommerce, Augmented and Virtual Reality Will Redefine the Retail ExperienceSearch Query Analysis to Increase eCommerce Website Conversions
- Content Marketing
Technology & Data
Social Startups: Bizible Connects All the Dots from Marketing Contributions to RevenueCreating the Perfect Profile for Your Social Media Marketing EffortUsing GPS and Localization for Social AnalyticsAnalytics and Prospect Intel: Discovering Your Ideal Prospect
- Big Data
- Tech & Innovation
3 Security Risks You’re Taking Every Day While Using Social MediaShould the President Have the Power to "Pull the Plug" on the Internet?How Safe is Your WordPress Website From Hackers and Other Malicious Attacks?
- Software & Tools
- Small Business
- Social Organization
Celebrating the Grand Re-Launch of Social Media Today! SBH Podcast Episode 8Why Should You Care If Your Employees Are Thought Leaders?Beyond Engagement: The Art of Managing Social-Media Risk in Employee Advocacy
Why All-in-One Social Media Management Systems Don't Cut It for Social Customer ServiceWhat You Should Know About Customer, Digital, and Contextual ExperienceSurging into Q3: How to Make It Better Than Q2Is How You Serve Your Customers Costing You Business?
Join us September 15th in Atlanta for The Employee Advocacy Summit and learn how to unleash the power of your employees.
Post your event here and we'll share it with our community. If one of our members is featured, we'll promote as well on their profile.
- Marketplace & Webinars
The SMT Marketplace
Your resource for exclusive content and insights from Social Media Today, and opportunities to reach our community of professionals.
The Social Business Book Club brings you books, discussions, and insights from today's to business thought leaders.
Join interactive talks and and panel discussions with leading thinkers and practitioners on social media and networked business, or browse the catalogue of recorded sessions - all completely free.
Reach Social Media Today's community of marketing and communications professionals in an editor-approved context with a native advertising package.
Twitter Hack: Find Out If You're Affected
Posted on February 2nd 2013
Around 250,000 people have had their passwords reset after 'sophisticated' hackers broke into Twitter's database and may have stolen emails and encrypted passwords. Here's a guide on what you need to know.
Q: how can I find out if I have been affected?
Go to a web browser, go to twitter.com,
and try to log in with your usual password. If you can’t log in – it will say there’s a problem with your username or password – then you’ve been affected.
(Deletion because Paul Lomax points out that web access will have been revoked if you were affected. See below.)
Q: I can’t check that just now. Am I likely to have been affected?
Only if you joined Twitter roughly in the first half of 2007. At that time it had a few million users. People (including myself) who joined in May 2007 have been affected. If you can’t remember when you joined Twitter, you can find out your “Twitter birthday” for yourself or any other user (it’s not private data).
Most people joined well after mid-2007, so on that basis you’re unlikely to have been affected.
Q: I can’t see an email from Twitter, and I can still post from Tweetdeck and other third-party clients – I haven’t tried the website. This means I’m OK, doesn’t it?
Not necessarily. The email from Twitter may have been filtered into your spam folder (users of Google’s Gmail should specifically look in their Spam folder; a search in the Gmail function won’t look at spam messages – and Twitter’s reset message to a Gmail account I use was filtered as spam.
The reason why third-party clients will still let you tweet is that Twitter doesn’t let them use your password. Instead, it uses “tokens” which are issued to the third-party programs, and authorise them to send tweets to Twitter’s database for redistribution to followers. The tokens weren’t revoked as part of the password reset; doing that would have meant that you’d have had to re-authorise all your apps, and for some apps Twitter has only made a limited number of tokens available. So that would have hurt both users and app developers.
Q: What did the hackers get?
Twitter says “our investigation has thus far indicated that the attackers may have had access to “limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords.” Session IDs are used for web visits, rather than third-party applications.
Update: Twitter has asked us to point out the emphasis on the point that hackers “may” have had that access: “it’s not 100% certain that they did. We reset passwords as a precautionary measure,” a spokesperson told the Guardian.
Q: What has Twitter done about it?
It has revoked the session tokens – so web-based services for those accounts (such as the Twitter.com website – see Paul Lomax comment) won’t work – and reset the passwords, so even if the hackers can crack the encryption, the passwords won’t work.
Q: Why did they go after the early adopters of Twitter?
Probably they didn’t, directly. Chris Applegate speculates that the method by which the hack was done gave the attackers access to its database, and forced it to list the user details – but they were by default provided in ascending order – that is, from user No.1 upwards. That means that Twitter’s founders such as Biz Stone, Jack Dorsey and Evan Williams have almost certainly been affected.
Q: What were they after?
What most hackers are after – access to accounts. There’s no indication yet of what group or individual might have been behind it, but getting secret access to accounts is always useful to hackers: it lets them watch people, or masquerade as others and send poisoned links via direct message to get control of more accounts.
Plus, some people use the same password for their Twitter account as their email account, and other accounts (a very bad move) which could mean, if the hackers are able to crack the encryption around the passwords, that they would be able to get access to huge numbers of email accounts, which would mean escalating problems for those people.
Always, always, use different passwords for important accounts; and don’t chain together your email accounts (so that a password reset in one is sent to another more vulnerable one).
Twitter’s advice on passwords: “Make sure you use a strong password – at least 10 (but more is better) characters and a mixture of upper- and lowercase letters, numbers, and symbols – that you are not using for any other accounts or sites. Using the same password for multiple online accounts significantly increases your odds of being compromised. If you are not using good password hygiene, take a moment now to change your Twitter passwords.”
Q: How was it done?
Twitter isn’t saying; its blogpost about the attack says only that it saw “unusual access”. That means that the hackers were probing its database via the Twitter access method, and found a way to crack its usual safeguards.
It may be connected to the outage that Twitter suffered on Thursday, though the company hasn’t said.
Twitter is saying that “This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.”
That implies that this could be part of a pattern in which a number of media organisations – including the New York Times, Wall Street Journal, and – according to some reports – the Washington Post have been attacked by Chinese hackers. With people such as the Dalai Lama on Twitter, it’s possible that this was an attempt to find out what important messages were being passed between such members.