Forgot your password?
typodupeerror
Communications Security Social Networks Twitter IT

Twitter #Hacked 111

Posted by timothy
from the coz-it's-a-hashtag-see dept.
theodp writes "Earlier this week, hackers gained access to Twitter's internal systems and stole information, compromising 250,000 Twitter accounts before the breach was stopped. Reporting the incident on the company's official blog, Twitter's manager of network security did not specify the method by which hackers penetrated its system, but mentioned vulnerabilities related to Java in Safari and Firefox, and echoed Homeland Security's advisory that users disable Java in their browsers. Sure, blame everything on Larry Ellison. Looks like bad things do happen in threes — Twitter's report comes on the heels of disclosures of hacking attacks on the WSJ and NY Times."
This discussion has been archived. No new comments can be posted.

Twitter #Hacked

Comments Filter:
  • java app => cron: reboot/restart apache/jboss/tomcat : every week
  • Safari and Firefox (Score:5, Insightful)

    by icebike (68054) on Saturday February 02, 2013 @01:15AM (#42769193)

    Who reads twitter with a web browser anymore? All quarter million of these accounts?
    Or was that avenue used to gain access on a server to a password databases or what?

    TFA says

    hackers gained access to Twitter's internal systems and stole information, compromising 250,000 accounts

    They then reference an advisory from the U.S. Department of Homeland Security that users disable Java on their computers.

    Maybe Twitter should follow DHS?

    This sounds like half the story. And press accounts aren't much more informative. Seems everyone is playing this java angle
    pretty close to the vest.

    • by Anonymous Coward

      Workers' computers at Twitter were compromised by a java exploit. If they were running Safari it's either oooold or they were using Macs.

      • by tlhIngan (30335) <slashdot AT worf DOT net> on Saturday February 02, 2013 @02:32AM (#42769519)

        Workers' computers at Twitter were compromised by a java exploit. If they were running Safari it's either oooold or they were using Macs.

        They'd have to be both - as in a Mac running 10.6 or earlier since Apple removed Java from the OS and blocked old versions. Heck, a couple of days ago Apple blocked ALL versions of Java (they set the minimum version to 0.0.01 above the current one - Oracle just released it that was 0.0.02 above their previous version).

        Apple basically kicked Java to the curb with Flashback - they removed their version of Java from the OS (by blocking it, requiring install of the Oracle one). And the Java plugin for Safari is disabled by default - you can enable it, but I believe it disables itself automatically 30 days later, so you have to re-enable it again.

        • by MacDork (560499)

          Workers' computers at Twitter were compromised by a java exploit. If they were running Safari it's either oooold or they were using Macs.

          They'd have to be both - as in a Mac running 10.6 or earlier since Apple removed Java from the OS

          Twitter is staffed by web developers. Web developers typically use Java. I think you might be missing a third possiblility.

    • by Mashiki (184564)

      Who reads twitter with a web browser anymore?

      Did osmosis and transmission into the brain by optical cable get perfected while I was offline in the last three weeks? Can you let us in on the secret...

      • by icebike (68054) on Saturday February 02, 2013 @01:49AM (#42769359)

        Who reads twitter with a web browser anymore?

        Did osmosis and transmission into the brain by optical cable get perfected while I was offline in the last three weeks? Can you let us in on the secret...

        Funny little thing happened while your were asleep Rip Van Winkle. Smartphones were found under a cabbage leaf and the world rejoiced.

        • by 93 Escort Wagon (326346) on Saturday February 02, 2013 @01:51AM (#42769369)

          Yeah, reading tweets on a little phone screen. That's a step forward, yes it is.

          • by Anonymous Coward

            Yeah, reading tweets on a little phone screen. That's a step forward, yes it is.

            Originally Twitter was supposed to be a SMS broadcast service to make it easy to tell your bros you were at the bar. 140 chars = worked on your shitty 2007 dumbphone. That was a step forward.

            All the witty one-liner stuff, celebrities and politicians spewing talking-points, journalists spamming urls, etc, was an unanticipated side-effect.
             

          • by Anonymous Coward

            Reading tweets period is a massive step backwards. I'm thrilled we could slave to produce this "internet" you all are glued to, reading.....tweets. Awesome. Next time I'm going to engineer new lollipops, that seems to be more your(and the other tweet-consuming masses) speed.

        • by kdemetter (965669)

          And how exactly is that not using a web browser ? It may not look the same way, but it does the same thing : it connects to a website ( using HTTP protocol ) , thus allowing you to browse the web. So it's still a browser.

          However, being a browser doesn't mean it has to support applets.

        • by RCL (891376)
          So what. If I spend at least 8 hours daily in front of a (desktop) computer with an abundant screen space (two large monitors), why should I read tweets on my mobile device(s)? When I'm commuting, I don't have much time for that either.
        • by Tridus (79566)

          Yeah, and overnight all the PCs in the world vanished like magic!

        • by Mashiki (184564)

          Funny little thing happened while your were asleep Rip Van Winkle. Smartphones were found under a cabbage leaf and the world rejoiced.

          Well someone already made the point, on smartphones and that tiny ass little screen. I mean really now, as you get older that tiny screen is going to get mighty tough to look at. So tell me again, why would I want to read something in a 4" to 8" area, when I can look at it on a 22" to 27" area in much better resolution without straining my eyes.

          • by icebike (68054)

            If you need 22 inches to read a 148 character tweet you might as well get a screen reader to read them aloud for you. Or better yet, buy some glasses.

        • Who reads twitter with a web browser anymore?

          Did osmosis and transmission into the brain by optical cable get perfected while I was offline in the last three weeks? Can you let us in on the secret...

          Funny little thing happened while your were asleep Rip Van Winkle. Smartphones were found under a cabbage leaf and the world rejoiced.

          Not everyone owns a smartphone. I've never owned ANY kind of cellphone. Mainly read Twitter at the webpage on my desktop. If you want to know WHY I don't own a cellphone, it's because I'd find it an unnecessary expense. Haven't found a need for one.

        • by hkmwbz (531650)
          Smartphones don't have web browsers?
    • Sounds to me like they have found Java exploits posted to compromised accounts, at a guess. They're advising people to disable Java so that their personal computers aren't compromised as well..

      How much personal information is required to set up a Twitter account? I don't use it, but I'd guess not much. So what the hackers gained is 1/4 of a million places to post links to exploit sites - places that may have a wide audience (twitter followers).

    • by NotBorg (829820)

      Who reads twitter with a web browser anymore?

      Anyone clicking a link in a Twitter keep alive e-mail. Recently they've taken a play from Facebook and started spamming anyone they think might be loosing interest in their network. If you're not actively engaged with a certain usage pattern you get mail.

    • by antdude (79039)

      I read Twitter in my web browsers. I don't own a mobile phone. :P

    • When they announce these hacks I would like to know how many are active accounts and not just an account with an egg and one tweet.
      • by icebike (68054)

        Egg and One Tweet doesn't necessarily mean inactive. Just a listener.

        I know several people who use EOT accounts to follow breaking news, and maybe a sports team or two, but never ever add to the din of pointless babble.

  • by guttentag (313541) on Saturday February 02, 2013 @01:33AM (#42769285) Journal
    A New York Times story today adds The Washington Post [nytimes.com] to the list of American news organizations whose newsroom computers were found to be communicating with computers in China on their own.

    For those keeping score:
    • The New York Times
    • The Washington Post
    • The Wall Street Journal
    • Bloomberg News
    • by guttentag (313541)
      How was my post off-topic when the summary for the discussion ended with this?

      Looks like bad things do happen in threes — Twitter's report comes on the heels of disclosures of hacking attacks on the WSJ and NY Times."

      Moderation abuse? Or are you going to claim the Chinese hacked your Slashdot account to mod my comment down.

      • Or are you going to claim the Chinese hacked your Slashdot account to mod my comment down.

        How do you know they didn't?

        I wouldn't put it past them quite frankly.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Begun the cyber war has.

      • Begun the cyber war has.

        The seaman looks up and maneuvers the boat toward shore. He cries out "I have waited three ages for someone to say those words and save me from sailing this endless ocean. Please accept this gift. You may find it useful!"

    • by quetwo (1203948)

      Maybe the hackers just wanted to read the news before it was re-written for Chinese consumption...

  • I'm having trouble following this. If I understand correctly, if I had Java disabled in my browser already, then my Twitter account is safe? It's really hard to tell from the article.
  • by bill_mcgonigle (4333) * on Saturday February 02, 2013 @01:40AM (#42769317) Homepage Journal

    Well, one thing is for sure - the exploit was written with a context-free grammar.

  • really slashdot? Yay for supersition..

    I guarrantee that more than three organizaions have been cracked in the last week.

    It reminds me somewhat of Tim Minchin at minute 2 in this video: https://www.youtube.com/watch?v=ET1-_PeExMs [youtube.com]

    /rant

  • And... (Score:3, Insightful)

    by Anonymous Coward on Saturday February 02, 2013 @02:12AM (#42769459)

    nothing of value was lost

  • I don't know (or specifically care) if I'm among that quarter million users, but it would have been peachy keen if Twitter had taken five minutes to e-mail their friggin' users to tell them.
  • I call foul.

    I don't even have Java installed....and yet my twitter account was hacked due to a java vulnerability? I got one of the emails saying my account had been compromised...but according to this, that wouldn't have been possible.

    Someone's mistaken...or lying.

    • by rwven (663186)

      Also...I -only- use Chrome, and nothing else. Yet this was supposedly a Safari and FF specific problem?

    • by ScentCone (795499)
      You're confused. It wasn't a Java hack on YOUR computer, it was a Java hack on a machine internally at Twitter, via which accounts were snooped. Relax.
      • by rwven (663186)

        *relaxes*

        Thanks for the clarification. I'm feeling a little sheepish now.

  • Rubbish (Score:5, Informative)

    by Frankie70 (803801) on Saturday February 02, 2013 @05:20AM (#42770007)

    If a security hole in Java running on a Twitter user's browser allowed someone to get to Twitter's internal data (i.e. not just the data of the user whose browser who had Java) - then it's a security hole in Twitter.

    I think Twitter is being dishonest here.

  • How can java and safari be to blame? Unless of course an employee was surfing porn or something questionable and his PC was hijacked but I would say the problem is with twitter not doing more to protection their employee machines and network.
    • by Tridus (79566)

      According to an article here a couple days ago, online ads are more dangerous than porn. Considering how many flaws there are in Java, all you need to do is get some code on any website someone visits and you can root the machine. The idea that the Twitter user was doing anything inappropriate at all is just speculation.

  • Its unclear why twitter are resetting passwords. Is it simply a precaution as the password data is encrypted and useless (as it should be)? Surely in this day and age Twitter aren't storing passwords in clear text?
    • by quetwo (1203948)

      According to their report, they were encrypted with different salt. But given enough time and computing resources. I imagine that they would go after the better known celebrities first, but you never know who would be caught in the crossfire. Expiring the passwords was a good move since even if the passwords are decrypted, they can't get into your twitter account.

  • The pattern reveals media and social companies as the low hanging fruit. As long as they don't do a big hit on the 3 big ones: Apple, Google, Amazon then there is not much cause for alarm.

  • No. Internal systems that are secure do not get compromised by rouge clients.

    Could it be that someone used Java in the browsers to snatch credentials from users on their local machines? Sure.

    Could someone infect a browser and that cause Twitter's network to be insecure? No.

  • This is an awfully good illustration of one of the many reasons why I don't drink the social-networking Kool Aid. I make exceptions for Goodreads and RateYourMusic, plus a few forum accounts, but that's it.

Don't steal; thou'lt never thus compete successfully in business. Cheat. -- Ambrose Bierce

Working...