Twitter Was Hacked – sort of
Twitter says no accounts have been compromised after a hacker claims to have acquired user details by allegedly breaking into its databases
Twitter was hacked on Tuesday 8/20/2013, and the hacker – “Mauritania Attacker” – released the account information for thousands of users.
According to various reports, the hacker leaked details for 15,167 accounts including “Twitter IDs, handles, oauth_token, and oauth_token secret codes.”
The leaked information could be used to log into a user’s account and post information without their approval. A plain text version of user account information was made available via Zippyshare.
These tokens are used to verify apps connecting to the microblogging service. They are not sufficient on their own to log in to Twitter, but could be used to direct further attacks on unsuspecting victims.
“The best practice for users thought to be affected by the data snatch is to revoke and re-establish access to third-party apps,” GigaOm wrote on Tuesday.
According to Techworm, the hacker claims to have full access to the “entire database of users on Twitter.” The hacker has also threatened to release “unlimited accounts credentials in the coming future.”
However, commenters have voiced the opinion that “A third party was compromised only, not Twitter. Furthermore, those oauth tokens/secrets are 2 sections of a 4-part authentication model over the Twitter REST API. Without the consumer token & secret they are rendered useless.”
Whatever the goal of the hacker, it’s a good time to conduct a little security housekeeping on your own account:
PROTECTING YOUR ACCOUNT
If you want to be proactive with your Twitter account, you can start by heading over to your apps settings inside your Twitter account and removing any 3rd-party Apps. Change your password using a complex construct, then reauthorize those applications you deem essential. Twitter OAuth tokens do not currently expire, which means users must manually revoke them.
If you run OAuth tokens via your own website accounts, the best option may be to take advantage of Twitter’s two factor authentication.
Robert Siciliano, an Identity Theft Expert to Hotspot Shield VPN, writing for The Huffington Post, detailed security steps you can take:
When you sign in to Twitter.com, there’s an option in “Settings” under “Account security” for a second check to require a verification code to make sure it’s really you. You’ll be asked to register a verified phone number and a confirmed email address. To get started, follow these steps:
- Visit your account settings page.
- Select “Require a verification code when I sign in.”
- Click on the link to “add a phone” and follow the prompts.
- After you enroll in login verification, you’ll be asked to enter a six-digit code that Twitter will send to your phone via SMS each time you sign in to www.twitter.com.
In cases where more than one person accesses the same Twitter account, Twitter’s two-factor authentication is less effective. Create an open dialog with fellow account holders and share second-factor authenticating identifiers via text.
Some more tips:
- Limit the number of people that have access to your account.
- Use a strong password.
- Use Twitters login verification.
- Watch out for suspicious links, and always make sure you’re actually on Twitter.com before you enter your login information.
- Never give your username and password out to untrusted third parties, especially those promising to get you followers or make you money.
- Make sure your computer and operating system is up to date with the most recent patches, upgrades and anti-virus software.
- Beware of phishing. Phishing is when someone tries to trick you into giving up your Twitter or email username and password, usually so they can send out spam to all your followers from your account. Often, they’ll try to trick you with a link that goes to a fake login page.
- Beware of typosquatting or cybersquatting. Typosquatting, which is also known as URL hijacking, is a form of cybersquatting that targets internet users who accidentally type a website address into their web browser incorrectly. When users make a typographical error while entering the website address, they may be led to an alternative website owned by a cybersquatter.
- Beware of short urls. Before you click on shortened URLs, find out where they lead by pasting them into a URL lengthening service, such as URL Expanders for Internet Explorer and URL Expanders for Firefox.
- Use aVPN (Virtual Private Network). Protect your private information and sensitive data from snoopers and hackers while surfing the web at WiFi hotspots, hotels, airports and corporate offices with Hotspot Shield VPN’s WiFi security feature.