Following Twitter's emails to about 250,000 users stating that their accounts' security may have been compromised, it seems the social network is considering improving security to prevent further mischief. A job listing spotted by The Guardian reveals that Twitter is on the lookout for a software engineer for Product Security, whose chief duties would include designing and developing “user-facing security features, such as multi-factor authentication and fraudulent login detection.”
The report also stated that Twitter is in plans to introduce “two-factor authentication” to boost the security on its service, especially in light of the recent events.
Better security. One flap at a time.
Just a day after intermittent outage disrupted services, the micro-blogging website admitted to being hacked. Twitter wrote on its blog that it detected “unusual access patterns that led to us identifying unauthorised access attempts to Twitter user data.” The company has claimed that it managed to detect and shut down a live attack within moments but its investigation indicated that the attackers may have found limited user information.
Twitter wrote that the hackers could have had access to user names, email addresses, session tokens and encrypted/salted versions of passwords for approximately 250,000 users. As a precautionary measure, Twitter sent out emails to these users letting them know that the site had reset their passwords and revoked the security tokens for their accounts. All these users will have to create new passwords to access their accounts.
Elaborating on the concept of two-factor authentication, the report adds that the method alerts the account holder of any attempt to compromise the security of their account. The system “blocks access from new devices or internet addresses, even when using the correct password, unless accompanied by a short numerical code that is sent separately to the account owner's mobile phone.”
Simply put, if there is an attempt to log in to an account from a new device, an app or any unknown location (figured out by the IP address), the two-factor authentication will prevent a successful login. Instead, a code will be sent to the owner's mobile phone, and only once the same code is entered on the page will the login go through.
While Twitter has downplayed the possibility that the hacking could have been related to the widespread outage, it has ominously drawn parallels with the hacking of US-based news websites earlier this week.
“As you may have read, there’s been a recent uptick in large-scale security attacks aimed at U.S. technology and media companies. Within the last two weeks, the New York Times and Wall Street Journal have chronicled breaches of their systems, and Apple and Mozilla have turned off Java by default in their browsers,” Twitter noted.
Twitter also went on to echo the advisory from the U.S Department of Homeland Security and security experts, who have asked users to disable Java in their browsers. Apple has ended up blocking the Java Web plugin for the second time this year after an earlier attempt to patch a critical vulnerability did not fix the issue. The plugin could still be exploited despite Oracle putting security mechanisms in place. Threats to Internet security have been alarmingly high in the past week and Twitter emphasised this for justifying its decision to reset thousands of passwords.