Phishing attack locks some users out of Twitter (Update)

by Steve Ragan - Feb 3 2010, 15:44

Update:

Twitter has released more details behind the password changes yesterday that impacted scores of users. It all started with a couple of accounts that had a sudden surge in followers over the last few days.

Some investigation led them to discover a person who for a number of years created Torrent sites and forums, which would later be sold. “However, these sites came with a little extra — security exploits and backdoors throughout the system,” Del Harvey
Director, Trust and Safety at Twitter, explained.

“This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up. Additional exploits to gain admin root on forums that weren’t created by this person also appear to have been utilized; in some instances, the exploit involved redirecting attempts to access the forums to another site that would request log-in information.”

The takeaway, Harvey noted, is that the users of these forums and the accounts at risk, all shared two common things. The first is that the users did use the malicious forums. The second is that the passwords and email addresses used on those forums were the same ones used on Twitter. Due to the commonality, Twitter reset passwords to prevent compromise.

Their final advice on the issue is the same advice given by several security experts. “We strongly suggest that you use different passwords for each service you sign up for…”

Original Article:

Earlier this morning some Twitter users logged in to the Web interface of the popular social service and were told that they needed a password reset due to a Phishing scam.

To be clear, the Phishing attack was not aimed at Twitter, but at another service, an email from Twitter explained. The password reset is simply a security precaution.

If the password reset request wasn’t noticed online, many Twitter users got an alert that their password was changed for them in their email. The message from Twitter said that the user’s account “may have been compromised in a Phishing attack that took place off-Twitter.” As a result, “your password was reset.”

Either way, the change caused some Twitter users to think the email was a Phishing scam, until they went to login. At this point, no one is sure who was targeted in the off-Twitter Phishing attack, and speculation is pointing the finger that NutshellMail might be to blame.

NutshellMail is a service that will send digest emails containing things from both Facebook and Twitter. It is possible that the Phishing attack was focused here. However, neither Twitter nor NutshellMail has made any public statement.

[Note: NutshellMail contacted us to deny all involvement. They use Twitter oAuth to connect accounts and do not store passwords. Shortly after their email, Twitter released the details covered in the update.]

Just yesterday The Tech Herald reported on the trend of criminals attacking social networks, considering the lucrative payout in information and access to users. While Facebook earned the top rank on a list of risky social portals, Twitter was a close third.

“Computer users are spending more time on social networks, sharing sensitive and valuable personal information, and hackers have sniffed out where the money is to be made,” said Graham Cluley, senior technology consultant for Sophos.

“The dramatic rise in attacks in the last year tells us that social networks and their millions of users have to do more to protect themselves from organized cybercrime, or risk falling prey to identity theft schemes, scams, and malware attacks,” he added.

In this case, Twitter appears to be proactive by protecting their own. We’ll add to this story is new information emerges.

Around the Web