Late Friday Twitter revealed that it had stopped a sophisticated attack against its users — but not before approximately 250,000 user accounts were compromised.
Potentially compromised Twitter users received emails late Friday advising them that, as a precautionary security measure, Twitter had reset their user passwords.
“We recently detected an attack on our systems in which the attackers may have had access to limited user information – specifically, your username, email address and an encrypted/salted version of your password (not the actual letters and numbers in your password),” Twitter stated in emails to compromised users.
Twitter’s weak link is its requirement for users to log into the service via a user/password combination. Unlike Google’s Gmail, which now provides two-factor authentication options, Twitter does not. With two-factor authentication, users need a username/password as well as a second randomly generated password token in order to gain access. “Users that feel strongly about the privacy and security of their accounts will not mind the additional step to gain greater security,” Qualys CTO Wolfgang Kandek said. “I use two-factor authentication every day on my Gmail accounts, and I find it to be well worth the added tim, that I spend every morning when I login and have to consult my phone for the token numbers.”