All Twitter users are being advised today to log into their account and revoke access to all third-party applications after an Islamic hacker managed to pull the entire OAuth database for users of Twitter. Calling himself the Mauritania Attacker, the hacker from the West African country of Mauritania posted details from just over 15,000 Twitter users earlier today and claims to have millions more. It's not clear whether he attacked Twitter or a third-party site. The latter is much more likely. Twitter says they are looking into the situation.
Twitter says that the stolen files do not include passwords, but do contain all of the usernames as well as OAuth access keys used by third-party applications to manage your Twitter account on your behalf. Security expert Allen Woodward, of the University of Surrey in the UK, told website Gigaom that the easy way to protect your account is to log-in and delete all third-party access to the account. Then by simply reauthorizing those accounts, a new key will be generated and everything will be safe again.
"Personally, I do regular housekeeping where I go into the Apps settings of Twitter and delete the third party apps that have access. The reason is that at present Twitter OAuth tokens once issued do not expire. You have to manually revoke them," said Woodwars. "So, I think best thing one could [do] is to go in and revoke third party's apps rights and then just relogin when/if you want to reaccess Twitter via that app. This way a new token will be issued."