- Tools & Templates
- Security Jobs
- Data Protection
- Identity & Access
- Business Continuity
- Physical Security
- Security Leadership
Twitter hack hits me where I live
News that 58,000 Twitter usernames and passwords were posted online by a hacker claiming to be part of Anonymous really hits me where I live. I recently wrote about how I fell for the oldest social engineering trick in the book through a bogus tweet, and that's one of the ways this stuff happens.
How much this latest incident has to do with social engineering remains to be seen, and Twitter claims there are over 20,000 duplicate usernames and passwords in that data as well as many spam accounts that have already been disabled and others where usernames and passwords don’t match. I suspect Twitter is ducking full responsibility for this, and I am seeing some grumblings out there that Twitter isn't encrypting passwords as vigorously as it should.
I've gotten some comments by email from security researchers about what may or may not have happened, and what the larger implications are. I'll share some of those comments now, and end my opining with the suggestion that we all change our passwords.
“Looks like we’re seeing something usual here -- real passwords, real accounts,” said Mark Bower, data protection expert and VP at Voltage Security. “Is Twitter not encrypting its passwords on the back end or are hackers in the Twitter cloud?” he asked.
"While Twitter is downplaying the quality of the accounts posted online, the credentials do appear to be legitimate,” said Michael Sutton, VP of Security Research at Zscaler ThreatLabZ. “The means by which they were harvested is still unknown, but social networking credentials have become valuable currency in the underground and are often the target of botnets and phishing campaigns. Social networking credentials are valuable because networks such as Facebook and Twitter represent trusted means of communication. Unlike spam email, which is completely untrusted and could come from any source, messages from contacts that you’ve explicitly permitted into your personal network are considered trusted and therefore links sent in such messages have a far higher click-through rate. This fact has not been lost on criminals who go to great lengths to harvest or purchase social networking credentials and then leverage the compromised accounts to social engineer victims into visiting malicious sites."
“The recent Twitter hack highlights that breaches are happening more frequently and the stakes are potentially very high,” said Eric Chiu, president & founder of HyTrust. “Not only can these Twitter accounts be accessed, but many people use the same credentials for multiple personal and work accounts. What happens a hacker breaches someone’s email account or corporate network? This could lead to identity theft, corporate data leaks, and more.”
Thanks to cloud computing, your business data is everywhere and being accessed by everyone. Making the wrong decision to protect your data can result in high costs, increased risk and executive exposure. View this live webinar on cloud security and the evolving data center, and learn why a data-centric approach to security is the best bet for today's virtual environment.
- Continuous Monitoring and Mitigation -- the New InfoSec Frontier
- RSA Security Analytics Case Study
- Prevent Mobile Devices from Loading Dangerous Code
- Expanding Your Security Perimeter: Common Sense for Navigating Today's Threat Landscape
- VMware Cloud Credits Program
- Insights from the 2013 IBM Chief Information Security Officer Assessment