“The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked,” Lord said. “For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.”
Reached on Saturday, Twitter spokesman Jim Prosser had no further comment.
Based on the few details released about the Twitter and Washington Post attacks it's hard to say whether Chinese hackers were involved, said Rich Mogull, CEO of Securosis, an independent security research and advisory firm. There are certain pieces of malicious software that are characteristic to Chinese hackers, he said, but “the problem is not enough has been made public.”
One theory is that the Twitter hack happened after an employee's home or work computer was compromised through vulnerabilities in Java, a commonly used computing language whose weaknesses have been well publicized. Independent privacy and security researcher Ashkan Soltani said such a move would give attackers “a toehold” in Twitter's internal network, potentially allowing them either to sniff out user information as it traveled across the company's system or break into specific areas, such as the authentication servers that process users' passwords.
The relatively small number of users affected suggests that attackers weren't on the network long or that they were only able to compromise a subset of the company's servers, Soltani said.
Twitter is generally used to broadcast messages to the public, so the hack might not immediately have yielded any important secrets. But the stolen credentials could be used to eavesdrop on private messages or track which Internet address a user is posting from.
That might be useful, for example, for an authoritarian regime trying to keep tabs on a journalist's movements.
“More realistically, someone could use that as an entry point into another service,” Soltani said, noting that since few people bother using different passwords for different services, a password stolen from Twitter might be just as handy for reading a journalist's emails.