When 250 000 of your accounts are hacked, you know it’s time to step up security. In the wake of the attack late last week that exposed hundreds of thousands of Twitter usernames, email addresses, session tokens and encrypted passwords, the social network is recruiting engineers to focus on implementing multifactor authentication and locate potential weak spots in its system.
According to a job listing, Twitter is interested in building “a more secure platform and user experience.” During the recent “sophisticated” attack (which Twitter suggests may be linked to the security breaches at the New York Times and Wall Street Journal), the company tracked down one live connection attempting to access user data, but estimates that the hackers could have been accessing information for thousands of users before the usual log in attempts were spotted by its team. Which is probably why it’s looking for someone to work on “multifactor authentication and fraudulent login detection”. It seems that captcha you see after too many failed log in attempts just isn’t cutting it any more.
Although the hack only affected a small percentage of the social network’s 200-million active users (and the affected account holders were notified shortly after Twitter figured out what was happening), it seems the company is working on implementing extra layers of security. One form of multifactor authentication, for example, could require users to enter a code SMSed to their phones when they try to log into Twitter from a new location or unfamiliar device.
It’s a system that is already available on other web services, like Gmail, and makes it more difficult for hackers to access your account with just a password — they’d need your phone too. It also serves to alert the owner that someone is trying to access their account from a strange computer or mobile device.
Until Twitter rolls out the option though, the most you can do is change your password to something long, unique and complicated. It also stands behind a recent security advisory that recommends you disable any Java plugins that may be active in your browser.