Late Friday, Twitter announced that it had been breached and that data for 250,000 Twitter users had been stolen.
The company said in a blog post that it detected unusual access patterns earlier this week and found that user informationâ"usernames, e-mail addresses, and encrypted passwordsâ"for 250,000 users had been stolen in what it described as a âsophisticated attack.â
âThis attack was not the work of amateurs, and we do not believe it was an isolated incident,â Bob Lord, Twitterâs director of information security, said in a blog post. âThe attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.â
Jim Prosser, a spokesman for Twitter, would not say how hackers were able to infiltrate Twitterâs systems, but Twitterâs blog post alluded that hackers had broken in through a well-publicized exploit in Oracleâs Java software.
Java, a widely used programming language, is installed on more than three billion devices and has long been dogged by security problems. Last month, after a security researcher exposed a serious vulnerability in the software, the Department of Homeland Security issued a rare alert that warned users disable Java on their computers. The exploit was particularly disconcerting because it let attackers download a malicious program onto its victimsâ machines without any prompting. Users did not even have to click on a malicious link for their computers to be infected. The program simply downloaded itself.
Oracle patched the security hole, but even then the Department said that the fix was not sufficient and urged users to disable Java on their Web browsers.
âUnless it is absolutely necessary to run Java in Web browsers, disable it,â the agency said in an updated alert. âThis! will help mitigate other Java vulnerabilities that may be discovered in the future.â
Twitter also encouraged users to disable the software. âWe also echo the advisory from the U.S. Department of Homeland Security and security experts to encourage users to disable Java on their computers,â Mr. Lord said.
While Apple no longer ships its machines with Java enabled by default. But after the alert, Apple also disabled the software remotely on Macs machines where it had already been installed. Those who do not own Macs can disable the software using detailed instructions on Oracleâs Java Web site.
Mr. Prosser said Twitter was working with government and federal law enforcement to track down the source of the attacks. For now, he said the company had reset passwords for, and notified, every compromised user. The company encouraged users to practice good password hygiene, which typically means coming up with different passwords for different sites, and using long passwords that cannot be found in the dictionary.
Twitter did say it âhashedâ passwords, which involves mashing up usersâ passwords with a mathematical algorithm, and âsaltedâ them, which involves appending random digits to the end of a hashed password to make it more difficult, but not impossible, for hackers to crack.
Once cracked, passwords can be valuable on auctionlike black market sites where a single password can fetch $20.