Twitter announced this evening that some 250k user accounts were compromised.
This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.
Passwords and session tokens were reset to contain the problem. It is likely that personal information, including direct messages, were exposed. The post asks users to use strong passwords of at least 10 characters, and requests that they disable Java in the browser, which together provide a pretty fair indication of how the attacks were conducted. Disable Java in the browser – where have you heard that before? We will update this post as we learn more.
Update by Rich: Adrian and I both posted this within minutes. Here is my comment:
Also from the post:
This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.
Twitter has a hell of a good security team with some serious firepower, including Charlie Miller.
—Adrian Lane, Rich