Twitter revealed late yesterday (Feb. 1) that 250,000 usernames and passwords may have been stolen in an "extremely sophisticated" data breach.
The affected credentials seemed to be limited to the first quarter of a million people who signed up for Twitter after the service launched in 2006.
Directly affected users have had their passwords revoked, and should have already received emailed notifications from Twitter.
Nonetheless, it's a good idea for all 500 million Twitter users to change their passwords now, using the Twitter website itself, and to also to do on every other online account that same password is used.
"Make sure you use a strong password — at least 10 (but more is better) characters and a mixture of upper- and lowercase letters, numbers, and symbols — that you are not using for any other accounts or sites," Bob Lord, Twitter director of information security, said in a company blog posting.
"Today would also be a good day to change the password on the email account where your Twitter password reset email would be sent to," tweeted Mikko Hypponen of Finnish security firm F-Secure.
"Some attackers will certainly use the Twitter password breach as an opportunity to send 'breach notification' phishing emails. Watch out," Hypponen added.
Lord hinted that the attack may have been the work of Chinese state-sponsored hackers.
"This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked," he wrote.
Late Wednesday (Jan. 30), the New York Times revealed its systems had been penetrated since September by what the newspaper believed were hackers linked to the Chinese military.
On Thursday (Jan. 31), the Wall Street Journal said it, too, had been attacked by Chinese hackers, though it provided fewer details than the Times.
Yesterday, the Washington Post, following a scoop by a former staffer, admitted that its networks had been penetrated for years.
Lord mentioned the Times and Journal hacks in his posting, and cryptically also urged users to turn off Java plug-ins in their browsers.
He did not say whether Java vulnerabilities were linked to his company's data breach.
Lord said Twitter encrypted and "salted" its user passwords, making them difficult to crack.
Ars Technica's Dan Goodin received word that Twitter uses the bcrypt algorithm, one of the strongest commonly used encryption methods.
But, as Goodin noted, even the best encryption algorithm "merely slows down the cracking process."