Twitter announced late Friday afternoon that sophisticated hackers might have gained access to data associated with about 250,000 accounts on the site, and that the company believes “this attack was not the work of amateurs.” While the hacks only potentially affected a small percentage of Twitter users, the company urged everyone to change their passwords regularly and keep track of their accounts.
This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.
The company noted that there have been reports of several high-profile incidents of Chinese hackers targeting U.S. media companies this week including at The Wall Street Journal and The New York Times. Twitter noted that it wanted to publicize the incident because it doesn’t think it was an isolated or random event, but it stopped short of identifying any likely group or country behind the attacks:
This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.
While the hackers may have gained access to 250,000 accounts, that’s still only a small percentage of regular Twitter users. Twitter announced on Dec. 18 that it had more than 200 million active users. So the hacked accounts would make up less than one percent of monthly active users.
Back in 2010, Twitter settled with the FCC after hackers found they were able to access user accounts including President Barack Obama’s account by guessing passwords and were able to send fake tweets. The company downplayed the security risk at the time, although it wasn’t the first security lapse the company faced.