Updating your Twitter Password Isn’t Enough
It happens so often that many of you probably ignore the newest reports of a bank or web service being hacked and personal information being stolen. Most news stations probably have a macro they can just fill in the variables that looks like “Today <X> was the victim of hackers. Information including name, passwords, credit card information, and <Y> for more than <N> customers was stolen and is now being sold online to other hacker groups.”
Most companies do little to notify customers and have a policy to reduce the severity perception of any attack. The common response is “No indication of customer data being abused has been reported”. In severe cases a company may offer free credit report monitoring for a year to their customers. Unfortunately, this typically requires you to sign up using a credit card and unless you remember to cancel you’ll automatically be renewed and charged for any future years.
Twitter says “attack was not the work of amateurs…”
Today, the public news report is that information from approximately 250,000 Twitter accounts was stolen. Twitter has taken action but I recommend you do more than just change your password. Even if you don’t use Twitter this attack may still affect you.
- Immediately try to sign on Twitter and change your password. If your account was compromised Twitter may have already changed your password and you won’t be able to sign on. Don’t keep trying to sign on or you may be blocked. Even if you weren’t a victim, tell Twitter to send you a password reset link to your associated Email address. Check your Email and create a new password that you’ll remember and is different than your current password.
- Important: If you used your Twitter password or even something similar on other services like Facebook, start going to all the other services you use and change your password. I know keeping track of passwords is hard but hackers know you share passwords.
The bad guys have automated tools which are now trying to use your Twitter Email and password to access Facebook, Google+, Gmail, Pinterest, Microsoft Live, LinkedIn, Instagram, WordPress, BlogSpot and even GoDaddy.
When you reset your password be sure to verify all the email accounts and cell phone numbers which are associated with your account. A hacker will add contact information so they’ll be able to re-reset your password and no matter how many times you change your password, they’ll still have it.
- Just in case: Your Twitter account is associated with an Email address. Change the password on this Email account. While the attack will not expose your email password it may make the email known. Depending on your background you could become the target of future attacks and that email may be the key to many other desired accounts.
- Be Smart: Be wary of ALL messages you receive from your friends especially on Twitter but also on Facebook, Email and other online services. If your friend had their account stolen they’ll most likely be sending out phishing attempts or links that will infect you. If you receive anything suspicious notify your friend immediately by phone and share these tips.
- Twitter Apps: Even if Twitter changed your password you probably have accounts with one of the popular Twitter Apps. You will need to update your new password on apps you may have forgotten are associated with Twitter. Examples include, “Twitter for Android”, “WeFollow”, “TwitPic”, “TweepsMap”, “Cert Me”, “Seesmic”, “Disqus”, “Pinterest.”
See https://twitter.com/settings/applications to view your apps and clean up any unwanted application.
- Remember to change the password on other Twitter accounts you have. In my case, one of my Twitter accounts was compromised but others were not. While my BillP account was compromised, I was able to sign on to my WinPatrol Twitter account without being forced to change my password. Imagine if I had used the same password for both accounts.
I’m pleased Twitter has made this attack public and even better they are forcing a password change. They risk losing customers but they risk a lot more if user accounts remained open.
I received the following Email at 11:09 AM EST today letting me know of the attack even though the Twitter Blog reported the attack yesterday afternoon. It might be worth following @boblord, the Director of Information Security for Twitter or the official @Twitter company account.
Dear Twitter User:
As a precautionary security measure, we have reset your Twitter account password. Check your inbox for a separate email from Twitter with instructions on how to reset your password. If you don't see an email, you can go to this page in our Help Center to request a password reset. More information is below.
We recently detected an attack on our systems in which the attackers may have had access to limited user information - specifically, your username, email address and an encrypted/salted version of your password (not the actual letters and numbers in your password). Further information about the attack can be found in this blog post.
Since your password has been reset, your old password will not work when you try to log into Twitter. We strongly encourage you to take this opportunity to select a strong password - at least 10 (but more is better) characters and a mixture of upper and lowercase letters, numbers, and symbols - that you are not using for any other accounts or sites. Using the same password for multiple online accounts significantly increases your odds of being compromised.
For more information about making your Twitter and other Internet accounts more secure, read our Help Center documentation or the FTC's guide on passwords.
This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to reset your password and publicize this attack while we still gather information. We are also helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.
So, please take this report seriously and do the homework I assigned above. As I’ve pointed out, the impact of this exposure goes far beyond Twitter. I hope you all realize the danger of you or your friends using the same passwords for multiple log-ins. Even though Twitter took drastic measures by forcing users to reset their password, many risks still exist due to this common behavior.