Main Menu

We got hacked: the full story.

by Omer Ginor, posted 1 year ago
Join 500,000+ users and check your own Twitter Stats for Free! Sign up now!

On Friday, November 18th, some of our users have seen some strange behaviour on their Twitter feed. We were the target of a cyber attack, which allowed hackers to spam unwanted tweets on behalf of several of our users. To me, that was a first and a very unpleasant experience. I felt like we failed our users in keeping the integrity of their timeline, and that’s not a very nice feeling to have.

Based on our investigation, the attack was directed only at high profile accounts such as Playstation, Viacom, Xbox, Charlie Sheen, Lionel Messi and several others. Soon after realizing the security breach, and until we got a clear picture on what’s going on, we blocked the ability of our system to take any action on behalf of our users.
Security and the integrity of our services comes first.

Then, with time once again on our side, we conducted a security audit and found the most likely gap that allowed the attackers to infiltrate our defences and post of our users behalf. 

What will come next is bit of a dull technical description, so if you’re not technical you can skip this and read on…

The attackers used a mechanism to hack the cookies used by the website, so that they can, one by one, make the system believe they’re logged in as a specific user and therefore be able to take the actions we allow users to take on our site, such as posting. The cookie encryption mechanism we were using has better alternatives in the market today that are considered much safer. We will not share what those mechanisms are for obvious reasons, but I’ll say that with those methods, the use of cookies is again considered very safe.
For those who followed this last part and are not sure what cookies are – here’s an article explaining them. It’s a method used by pretty much every website and service. 

The security investigation we did also identified a couple of other places where we can improve our security, and all these security improvements are being installed as we speak by our engineering team. This brings us to a place where this kind of attack and abuse of our system will be really hard. I mean REALLY. Nothing is 100% safe on the web, but we want to look our users in the eye and say ‘you can trust us with your account permissions’. 

One thing is very important for our users to know: all private and sensitive information such as credit card details and Twitter account passwords are NOT stored on any of our servers

I any case, this is a security issue, and is a great opportunity to recommend you to take safety precautions in handling your Twitter accounts:

  • Enable two-step authentication to your account by linking your phone number to your Twitter account.
  • Use a strong password with at least 10 characters and a combination of letters, numbers and other characters.
  • Periodically review the list of apps authorized by your account. Make sure you use/ need all of them and revoke access to the ones you don’t.
  • Contact Twitter immediately if you think your account has been compromised.

One final note from my own perspective: we now know who the hackers are and are going to make them pay for their actions. To me it’s important they don’t get away with it – because of the damage they caused our users and customers, the damage they caused us, not to mention making all of us work through the weekend – and so that they won’t profit from these actions. Hopefully by doing that the web will be a tiny bit safer, for you and for us.

As a leading analytics service for Twitter accounts, we are committed to top-quality service.

I personally, want to apologize to the affected users and customers.  

If you have any questions regarding this incident or concerns about your account safety, feel free to contact our support team or contact me directly: omer at twittercounter dot com.

All the best from a sunny Amsterdam,

Omer Ginor
Chief Counter