Reuters and many tech websites are reporting this morning that Twitter has been warning some of its users of a possible hack. This is unprecedented for the social media site, which has never issued such an alert before.
The extent of the hack is not known, however Twitter indicates in the notification that only “a small group” of accounts were affected. According to Twitter: “We believe that these actors (possibly associated with a government) may have been trying to obtain information such as email addresses, IP addresses, and/or phone numbers.”
There is no indication what “government” Twitter suspects is connected with the hack, but online news sources are speculating the usual suspects, China and North Korea. PCWorld reports that many of the account holders receiving the Twitter notices are “privacy advocates and security researchers, some of whom tweet under pseudonyms.” Reuters is also reporting that Google and Facebook have also started warning users of possible state-sponsored attacks, but offers no details.
Twitter indicates they are sending the notices primarily as a precautionary measure: “At this time, we have no evidence they obtained your account information, but we’re actively investigating this matter.”
Although some sources are attempting to tie the hack to the breach of Sony’s computers late last year, there is no indication that this incident is connected or that it is as invasive.
Help keep FOSS Force strong. If you like this article, become a subscriber.
It’s sad to see huge corporate hacks and data breaches become daily news.
The one step that would eliminate 95% of the problem is the one step the companies actively resist taking: Stop collecting all the damn data in the first place. If you don’t have it, it can’t be compromised.
Most of us who work in IT know exactly how lousy almost all corporate security actually is. Companies are too big and bureaucratic to ever be able to get it right.
Web based accounts should move to an asymmetric key based authentication mechanism, where no one holds your private keys but you. That way there are no passwords to steal. Remove two factor authentication and biometrics because those are just red herrings, likely to lead to more stolen data than they ever prevent.
Beyond this, companies simply need to stop collecting so much data on their customers.
If you want to allow data collection and still improve things do this:
Have customer data encrypted using only the key the customer holds. Now you can retrieve it, but only by actively asking the customer to decrypt it for you. Your local DB is stolen? No problem, every record is uniquely encrypted using keys you don’t hold. It alos gives the customer control over when that information gets used. If you get caught in a data breach holding unencrypted information on customers, you should be held legally liable for everything done with that stolen information.
There…fixed it.
Feel free to send me some of the money you were previously spending on data security. (You were spending an amount proportional to the value of the data stored, right? No? Then shame on you.)