A few days ago, twitter announced that it was targeted by hackers and 250,000 accounts have been compromised. When the attack was discovered, twitter revoked the security tokens for those affected accounts and reset passwords. The account owners were sent e-mails telling them to reset their password.
In the wake of the massive attack, twitter is apparently pursuing improved authentication. Information Week reports that a job listing discovered early this week on the twitter website seeks a software engineer for product security. The job description seeks someone with experience designing and developing user-facing security features including multifactor authentication.
The job also wants the new employee to be familiar with fraudulent login detection techniques. The job listing turned up Monday and Information Week reports that twitter didn’t respond to requests for comment about whether or not it was planning to implement two-factor authentication. A number of large websites do use two-factor authentication, and one of the most notable is PayPal.
Dropbox also now offers two-factor authentication after hackers were able to steal passwords for some user accounts. Interestingly, some of the owners of affected accounts in the big hack discovered recently note that there expired passwords still work when they log into twitter via the twitter API used by third-party tools. Twitter maintains that it reset all passwords for affected accounts. However, it appears that twitter didn’t expire OAuth session tokens allowing third-party applications to continue accessing twitter with expired passwords.
[via Information Week]