Very recently, Twitter had made an announcement regarding a security breach which resulted in 250000 twitter being compromised.This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.
In response to this breach, Twitter has rest the passwords and revoked the session tokens for these affected accounts. As an additional precautionary measure, Twitter will be notifying these affected users via the email id associated with the twitter account.This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.
Twitter has also requested the users to disable JAVA. Now this sounds interesting. A few weeks ago, a new 0 day vulnerability was discovered in the Java 7 update 11. So combining these two facts together , there are a lot of unanswered questions especially pertaining to – how is Java related to twitter security breach and which Java Version, the family of malware/trojan, the driveby download was being served by which website / websites and most importantly HOW? Hopefully, we may find answers to these question in the near future.
However, as a security measure, and as also advised by Twitter alongwith our advisories on how to manage your passwords and irrespective of being a recipient of twitter’s precautionary email – Change your twitter password – keep it long and also add a dash of numbers with some special characters.
Oracle issues an out-of-turn Java Update on 1Feb 2013. Update Java and if you have no use for Java – Remove it.