Twitter's most serious security crisis

Twitter logo on smartphone screen

At 0430 this morning I was in a hotel in the French Alps waiting for a bus to take me through a blizzard to Geneva Airport and home.

Checking my email on my phone I found two messages from Twitter - each telling me that my password had been reset "as a precautionary security measure".

My first reaction was that this was yet another phishing scam, designed to take me to a site where I would hand over my Twitter credentials like a mug.

Then I asked my Twitter followers - and quickly realised that the emails were genuine and signalled the most serious security crisis in the company's history.

Scanning the company's blog, I found that I was one of a select few.

Just 250,000 out of 200 million active users have been warned that "limited information" may have fallen into the hands of hackers.

Early adopters

Twitter is emphasising that it acted rapidly to warn people the moment that it spotted the danger - but there is still little information about the nature of the attack or why just one small section of users is in danger.

From what I can see, most of the people who've received the email are early adopters, those who joined Twitter in 2007 or earlier.

Start Quote

This is another useful reminder to take more case of what Twitter's head of security calls password hygiene”

End Quote

Is there an early database which is not as secure as the systems brought in as Twitter took off?

Who is behind the attack?

Twitter is linking it to those on the New York Times and the Wall Street Journal which have been widely blamed on Chinese hackers.

But in this murky world where both attackers and defenders are reluctant to give anything away about their methods, we may never know for sure.

But the other company with a crisis on its hands is Oracle, owners of Java since the takeover of Sun Microsystems in 2011.

Everyone from the US Department of Homeland Security to Twitter is now warning that the programming language has flaws which are being exploited by hackers and are advising users to disable it in their browsers.

In the meantime, this is another useful reminder to take more case of what Twitter's head of security calls "password hygiene".

That means passwords like "password" and "123456" just won't do any more.

Rory Cellan-Jones Article written by Rory Cellan-Jones Rory Cellan-Jones Technology correspondent

Zuckerberg - the unasked questions

Mark Zuckerberg's appearance at the Mobile World Congress was a missed opportunity.

Read full article

More on This Story

More from Rory


This entry is now closed for comments

Jump to comments pagination
  • rate this

    Comment number 2.

    There are other issues affecting security.

    In a secure system passwords are "salted" (random data added) and hashed (encrypted). Having obtained usernames and these hashes an attacker needs vast computing power to crack passwords.

    However the hash algorithms used were designed to hash large amounts of data. They are fast, allowing an attacker to try many guesses quickly. Need to use slow ones!

  • rate this

    Comment number 1.

    The problem isn't so much password simplicity as password reuse. When hackers try to brute force accounts, they're not trying random combinations of usernames and passwords, they're trying username and password combinations they've managed to get elsewhere, such as through phishing scams and other hacks.


Features & Analysis

BBC Future

(Science Photo Library)

Nasa’s amazing airport simulator

How to train 21st Century controllers


  • A robotClick Watch

    The latest in robotics including software that can design electronics to solve problems

Copyright © 2015 BBC. The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.