250,000 Twitter Accounts Hacked Via Vulnerability In Java 7 Update 10 Last Week

February 7, 2013

Thursday, February 7, 2013 by Tasneem Dharamsi
Early Friday evening, Twitter announced on its blog that the company had “detected unusual access patterns” that indicated that “unauthorized . . . attempts” were made to access as many as 250,000 Twitter accounts.  Basically, nearly a quarter of a million Twitter accounts were hacked into.  In what the company has called a “sophisticated attack,” Twitter has revealed that the anonymous hackers were able to find the usernames, email addresses, session identifiers, and encrypted passwords of these users.  Twitter reported that it unearthed one hacking attack while in progress and was able to shut it down, but that in order to protect those 250,000 compromised accounts, it has reset passwords and revoked session identifiers for the accounts.   Twitter also stated that it sent out emails to notify those users whose accounts were affected by the attacks.
In its blog alert, Twitter urged its users to follow the advisory issued by the United States Department of Homeland Security in which the Department identifies a vulnerability in Java 7 Update 10 that “can allow a remote, unauthenticated attacker” access a system.
The Department of Homeland Security stated that Java 7 on Widows, OS X, and Linux platforms have been successfully attacked.   In order to mitigate the vulnerability, the Department encourages users to disable Java in internet browsers as the first line of defense.  If “it is absolutely necessary to run Java in web browsers,” the Department recommends installing Java 7 Update 11 or restricting access to Java applets.
The threat of being attacked by hackers is so severe that even Apple has gotten involved.  CNET is reporting that in light of the security breaches, Apple released an update to its users that blacklisted the latest versions of Java.  Mac users wanting to restore Java on their computers must download the latest version on their own.   Additionally, the New York Times has stated that macs will no longer be shipped with Java enabled by default.
Twitter has been reprimanded in the past for failing to adequately protect the personal information of its users.  In 2010, the Federal Trade Commission filed charges against the company alleging that there were “serious lapses in the company’s data security” that served as vulnerable points for hackers.  In a settlement with the FTC, Twitter agreed to undergo independent security assessment every other year for the next 10 years.
However, this most recent attack may not be due entirely to Twitter’s lax security measures.  Twitter stated that it believes that other websites and companies have been and will continue to be targeted by these hackers.  Indeed, over the last week, both The New York Times and The Wall Street Journal reported that their newspapers had been the target of Chinese hackers.  A reporter for The New York Times stated that over the last four months, Chinese hackers had discovered the passwords used by every New York Times employee and even accessed the personal computers of more than 50 of these employees.  The Wall Street Journal reported that it, along with other media sources like Dow Jones & Co., has been subjected to attacks originating in China.