If you Tweet, your privacy has just been violated. Twitter suffered a massive security breach early Tuesday, when a hacker from Mauritania leaked over 15,000 private account details and claimed to have access to Twitter’s “entire database of users.”
Fortunately, it appears that the hacker didn’t obtain anyone’s passwords. Instead, the hacker accessed user IDs and something called “OAuth tokens” — pieces of information used to connect Twitter accounts to third-party apps like Facebook, Pinterest, HootSuite, or any number of external website services.
Basically, an OAuth token allows another service to use your Twitter account without revealing your Twitter password to that third-party. It means there’s an extra layer of protection between your Twitter account and the hacker.
Responding to Tuesday’s attack, security experts reassured the public that there’s not much risk the hacker could gain full access to someone’s account using their OAuth token, but users should still do some damage control.
Hacked Twitter Third-Party OAuth Tokens in the Wrong Hands
Social media tech site Mashable reported that the hacker, going by the name “Mauritania Attacker” and allegedly committing cyber crime in the name of Islam, leaked over 15,000 Twitter user IDs and OAuth tokens through a file-sharing site.
It appears that Mauritania Attacker obtained the data by exploiting an unnamed third-party app which Twitter has already banned. Via Mashable:
A source close to the matter also told Mashable the issue involved a specific third-party app which has already been suspended by Twitter.
Despite the breach, a Twitter spokesperson further said the situation had been “investigated” and it was confirmed that “no Twitter accounts were compromised.”
Website GigaOm interviewed UK security expert Alan Woodward, who elaborated on the low-risk severity of the incident:
Woodward said the format of the tokens in the plain-text file looked “plausible.” He added that they probably wouldn’t give attackers full access to users’ accounts, but might make it possible to tweet under the victim’s name.
While it’s easier to recover from a false Tweet or two than, say, hackers who empty your bank account, it’s still unsettling news. We advise Twitter users to take action:
Change Your Password Anyway & Revoke Third Party Apps
As part of your general Internet housekeeping, you should change your passwords a minimum of every three months to reduce your risk of cyber crime. While the Mauritania Attacker apparently hasn’t compromised anyone’s Twitter login credentials, the incident is a good reminder to change the digital locks.
For tips on how to create a secure password that’s less likely to be hacked, click here to watch our video. Remember, you should use a separate secure password for all your accounts.
We also suggest revoking the third-party app privileges on your Twitter account to be extra safe. As Woodward explained to GigaOm:
“[A]t present Twitter OAuth tokens once issued do not expire. You have to manually revoke them… So, I think best thing one could [do] is to go in and revoke third party’s apps rights and then just relogin when/if you want to reaccess Twitter via that app. This way a new token will be issued.”
To see which third-party apps are connected to your Twitter account, click on the Apps Tab of your account settings, then click Revoke Access:
Are You Concerned About Twitter Hacking?
What do you think? Are you concerned about your privacy after Twitter was hacked? Share your thoughts in the comments.
Hashtag Dumb: Fugitive Fraudster Taunts Cops on Twitter, Then Gets Caught
New Study: Facebook and Twitter Addicts May Perform Better at Work
Twitter IPO Drives Confused Investors to Defunct Penny Stock: Was It a Scam?