Twitter has begun to send out emails to an unknown number of users telling them that their accounts may have been targeted by state-sponsored actors.
The emails first came to light at the end of last week in a tweet from Coldhak (@coldhakca), a Canadian non-profit organisation. While their account shows them as having just 320 followers raising the question of why they would be a target, some of the other accounts receiving this email have tens of thousands of followers.
The first time Twitter has sent out emails to users
The email to users (see image below) is believed to be the first time that Twitter has sent a notification to its users around state sponsored hacking. While there is no state named in the email it is unlikely that the blame would be laid at the door of a state sponsored hacker without there being clear information that points back to a particular state.
Despite having sent the email out to affected users, news outlets that have tried to get confirmation from Twitter are all reporting no response from the Twitter press office. There is also no mention on the Twitter news feeds of these attacks. This means that the only information available comes from those people who received the emails. However, on Saturday, Paul Szoldra (@PaulSzoldra) said that he had been able to confirm with Twitter that the emails are real
Perhaps the most interesting part of the email is not that the accounts have been targeted or that the hackers may have obtained email addresses, telephone numbers or IP addresses. Instead it is the fact that Twitter seems to acknowledge that the users of the accounts may be relying on anonymity in order to post. As such, it recommends that they use Tor, the underground Internet that the French and other governments want to ban as a terrorist risk.
Some users such as Runa A Sandvik (@runasand) have taken Twitter to task over the suggestion that they use Tor saying: “Twitter suggests I use Tor to protect my online identity, yet frequently blocks accounts accessed over Tor.” It seems that Twitter is not good at taking its own advice.
It is about time Twitter began to notify users about potential security breaches. Keeping the announcement low key is a little surprising. Twitter may have done it because it hoped to still track the attackers. However, expecting it not to go public was little more than a faint hope.
Sending emails warning users of a risk to their account is a good thing but there also needs to me a more public acknowledgement about such attacks. It will be interesting to see if Twitter makes the details of its findings from the attack public.