Twitter Hack Prompts Two-Factor Authentication To Strengthen Security
Following the recent hack that compromised up to 250,000 Twitter accounts, the micro-blogging site is now pursuing two-factor authentication to enhance log-on security.
Twitter has 250 million users, meaning the breach affected only 0.10 percent of its entire user base, but any hack attack is still a serious security issue regardless of its proportions. Twitter reset the passwords of all affected users, but said investigation remains ongoing until everything is clear, including determining exactly what data the hackers accessed.
"This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data," Twitter's director of information security Bob Lord announced in a blog post on Friday, Feb. 1. "We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information - usernames, email addresses, session tokens and encrypted/salted versions of passwords - for approximately 250,000 users."
Twitter has reset the passwords for those 250,000 affected users and revoked those accounts' session tokens as a precautionary measure. According to Lord, users should have received an e-mail instructing them to create a new password.
Lord further cautioned users to pay attention to the warnings the Department of Homeland Security has issued recently regarding the Java browser plug-in. He did not, however, specifically associate the Twitter breach to a Java vulnerability exploit.
In light of the security breach, Twitter officials have apparently decided to implement two-factor authentication. A new job listing on Twitter's Web site reveals the new security measure. The job is for a software engineer - product security.
"Design and develop user-facing security features, such as multifactor authentication and fraudulent login detection," read the requirements in the job advert.
Twitter moved to HTTPS as the default option in March 2012, but two-factor authentication would add an extra layer of security to Twitter's log-in process. Google, for instance, has been offering two-factor authentication for a long time for its Gmail and other Google Apps. Dropbox has also implemented this extra security measure after facing a password breach of its own.
Users who have enabled two-factor authentication, both for Google and Dropbox, must enter both their passwords and a unique code - the second factor - generated either by an app on their smartphone or sent to their handset via SMS. Facebook has such a system in place as well.
Until it adopts such a system, all Twitter can do if it detects a breach is to reset those passwords, as it has done now. Some affected users, however, have reported that their presumably expired passwords still work when they log into Twitter via the Twitter API.