Twitter has become the latest victim in a number of cyber attacks against media companies. Hackers may have gained access to information on 250,000 of its more than 200 million active users.
According to a blog post that the company posted on Friday, Twitter has detected attempts to gain access to its user data this week. It shut down one attack moments after it was detected. The company reset the pilfered passwords and sent emails advising the affected users.
The online attack comes on the heels of recent hacks into the computer systems of US media and technology companies, including The New York Times and The Wall Street Journal this week. Both the papers’ computer systems had been infiltrated by China-based hackers, probably to monitor media coverage.
China has been accused of mounting a widespread, aggressive cyber-spying campaign for several years, trying to steal classified information and corporate secrets and to intimidate critics. The Chinese foreign ministry could not be reached for comment, but the Chinese government has said those accusations are baseless and that China itself is a victim of cyber attacks.
“Chinese law forbids hacking and any other actions that damage Internet security. The Chinese military has never supported any hacking activities,” the Chinese Defense Ministry recently said.
Bob Lord, Twitter’s director of information security, said, “The attackers were extremely sophisticated, and we believe other companies and organisations have also been recently similarly attacked,” Lord said. “For that reason we felt that it was important to publicise this attack while we still gather information.”
One expert said that the Twitter hack probably happened after an employee’s home or work computer was compromised through vulnerabilities in Java, a commonly used computing language whose weaknesses have been well publicised.
Ashkan Soltani, an independent privacy and security researcher, said such a move would give attackers “a toehold” in Twitter’s internal network, potentially allowing them either to sniff out user information as it travelled across the company’s system or break into specific areas, such as the authentication servers that process users’ passwords.
“Someone could use that as an entry point into another service,” Soltani said, noting that since few people bother using different passwords for different services, a password stolen from Twitter might be just as handy for reading a journalist’s emails.