Post-Hack, Twitter to Change Login Protocol
YNOT – Twitter admins on Monday confirmed plans to change the way users log in to the popular micro-blogging spot, in hopes of limiting the kinds of security breaches that compromised 250,000 Twitter accounts last week.
Gmail and Facebook already offer a login option using “two-factor authentication,” which prevents unauthorized users from hijacking accounts even if they know the correct password. A new employment opportunity posted over the weekend revealed Twitter may intend to adopt something similar.
So-called 2FA protocols typically require all login attempts from devices or IP addresses not previously associated with a user’s account to confirm their legitimacy by also entering an alphanumeric code delivered to the registered user’s cell phone. Such a system might have prevented last week’s potential disaster, when what Twitter security personnel believe to be a professional hacking outfit broke into the company’s servers and may have stolen email addresses, passwords and other account details for as many as one quarter million Twitter users.
Twitter has neither confirmed nor denied data theft, but security chief Bob Lord confirmed the company locked down the potentially compromised accounts and required those users to reset their passwords at their next login. Lord also said the company notified affected users by email.
“This attack was not the work of amateurs, and we do not believe it was an isolated incident,” Lord wrote on the company’s blog. “The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the internet safer for all users.”
A number of high-profile Twitter users have fallen victim to account hijacking since the service launched in mid-2006, notably PayPal UK, FOX News and actor Ashton Kutcher. Those hijackings invariably resulted after users were tricked into revealing personal information by rogue sites impersonating Twitter. 2FA is one way of protecting users from themselves in such cases.
Although Twitter insiders haven’t said, security experts believe Twitter may have come under attack by the same China-based hackers who recently struck The New York Times and The Wall Street Journal. Officially, little is known about the nature of the attack or why so few of Twitter’s reported 200 million active users were targeted.
Contributing writer Erika Icon assisted with this report.