Up to 250,000 Twitter users have had their accounts hacked in the latest of a string of high-profile internet security breaches.
Twitter’s information security director Bob Lord said users’ passwords had been stolen, as well as usernames, emails and other data.
Affected users have had passwords invalidated and have been sent emails informing them.
Bob Lord said the attack “was not the work of amateurs”.
He said it appeared similar to recent attacks on the New York Times and others.
The newspaper reported this week that their computer systems had been breached by China-based hackers
Bob Lord said in a blog post Twitter had discovered unauthorized attempts to access data held by the website, including one attack that was identified and stopped moments after it was detected.
“This attack was not the work of amateurs, and we do not believe it was an isolated incident,” he wrote.
Bob Lord did not say who had carried out the attack, but added: “The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.”
“For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the internet safer for all users.”
Up to 250,000 Twitter users have had their accounts hacked in the latest of a string of high-profile internet security breaches
Internet security specialist Graham Cluley warned Twitter’s announcement that emails would be sent to users may prompt a spate of spam emails “phishing” for sensitive information.
He says people should be cautious about opening emails which appear to be from Twitter.
“You have to be careful if you get hold of one of these emails because, of course, it could equally be a phishing attack – it could be someone pretending to be Twitter.
“So, log into the Twitter site as normal and try and log in to your account and, if there’s a problem, that’s when you actually have to try and reset your password.”
On Thursday the New York Times linked the attack to a story it published alleging relatives of former Premier Wen Jiabao controlled assets worth billions of dollars.
China’s foreign ministry dismissed the New York Times’ accusations as “groundless” and “totally irresponsible”.
[youtube qA_DXq6WCvc]
An annual study of the most commonly used passwords has found that password, 123456 and 12345678 are still the most commonly used passwords – despite years of security experts urging people to change them to more secure versions.
“Just in time for Halloween comes something that might scare anyone who spends a lot of time online: SplashData’s annual list of the most common passwords used on the Internet and posted by hackers,” the researchers said.
“Users of any of these passwords are the most likely to be victims in future breaches.”
The latest list comes following 12 months of high profile hacks that have revealed user passwords.
Yahoo, LinkedIn, eHarmony, and Last.fm have all suffered major breaches.
However, some people have updated their passwords, and the research found new entries to this year’s list include “welcome”, “jesus”, “ninja” ,”mustang” and “password1”.
The firm behind the study, SplashData, warned users to change their password.
“At this time of year, people enjoy focusing on scary costumes, movies and decorations, but those who have been through it can tell you how terrifying it is to have your identity stolen because of a hacked password,” said Morgan Slain, SplashData CEO.
“We’re hoping that with more publicity about how risky it is to use weak passwords, more people will start taking simple steps to protect themselves by using stronger passwords and using different passwords for different websites.”
SplashData’s top 25 list was compiled from files containing millions of stolen passwords posted online by hackers.
The company advises consumers or businesses using any of the passwords on the list to change them immediately.
“Even though each year hacking tools get more sophisticated, thieves still tend to prefer easy targets,” Morgan Slain said.
“Just a little bit more effort in choosing better passwords will go a long way toward making you safer online.”
HOW TO CHOOSE A SAFE PASSWORD
SplashData suggests making passwords more secure with these tips:
• Use passwords of eight characters or more with mixed types of characters.
• For example, “eat cake at 8!” or “car_park_city?”
• Avoid using the same username/password combination for multiple websites.
• Especially risky is using the same password for entertainment sites that you do for online email, social networking, and financial services.
SplashData’s top 25 list was compiled from files containing millions of stolen passwords posted online by hackers
MOST COMMON PASSWORDS
The Worst Passwords of 2012, including their current ranking and any changes from the 2011 list:
1. password (Unchanged)
2, 123456 (Unchanged)
3. 12345678 (Unchanged)
4. abc123 (Up 1)
5. qwerty (Down 1)
6. monkey (Unchanged)
7. letmein (Up 1)
8. dragon (Up 2)
9. 111111 (Up 3)
10. baseball (Up 1)
11. iloveyou (Up 2)
12. trustno1 (Down 3)
13. 1234567 (Down 6)
14. sunshine (Up 1)
15. master (Down 1)
16. 123123 (Up 4)
17. welcome (New)
18. shadow (Up 1)
19. ashley (Down 3)
20. football (Up 5)
21. jesus (New)
22. michael (Up 2)
23. ninja (New)
24. mustang (New)
25. password1 (New)
Source: SplashData
