Twitter has not been having a great time lately, and things just seem to keep piling on. This time, Twitter has had to notify 10,000 users that their email addresses and phone numbers may have been exposed because of a bug in Twitter's password recovery system. Twitter notified affected users on Wednesday, but the leak had actually occurred sometime last week.
In a blog post Twitter Trust and Info Security Officer, Michael Coates, wrote:
"We recently learned about — and immediately fixed — a bug that affected our password recovery systems for about 24 hours last week. The bug had the potential to expose the email address and phone number associated with a small number of accounts (less than 10,000 active accounts). We’ve notified those account holders today, so if you weren’t notified, you weren’t affected. We take these incidents very seriously, and we’re sorry this occurred. Any user that we find to have exploited the bug to access another account’s information will be permanently suspended, and we will also be engaging law enforcement as appropriate so they may conduct a thorough investigation and bring charges as warranted."
Fortunately the bug did not expose the users' passwords or anything that would grant direct access to any of the users' accounts. Also in the blog post Coates gave some suggestions on how users can keep a watchful eye on their account login history and make sure they are as protected as they can be from someone trying to access their account.
- Setting up additional information being requested to start the password reset process: such as requiring your email address or mobile number to be entered beforehand.
- Using a strong password: Having at least 10 characters with a mixture of uppercase and lowercase letters, numbers, and symbols. Try not to use the same password as you do for other services.
- Set up 2-Step Verification Login: This will require you to input a code sent via text to login.
- Check your Applications tab: use http://twitter.com/settings/applications to review and revoke the access privileges of third-party applications.
- Review login history: under Settings on Twitter you can access Your Twitter data, which will allow you to see when and where your account has logged in.
Unfortunately nothing will give you 100% security for your account, but by taking steps to protect yourself you can prevent the majority of the most common ways people have their accounts accessed by others.