Sarah Jacobsson, PCWorld
Early Tuesday, Twitter says it had to reset the passwords of a small number of accounts compromised in an external phishing attack.
“As part of Twitter’s ongoing security efforts, we reset passwords for a small number of accounts that we believe may have been compromised offsite,” Twitter wrote in a prepared statement.
Twitter said it took the security action because of a “combination of multiple bad acts.” One, it believes, is accounts being compromised by Twitter users signing up for what it described as “get followers fast schemes” luring people to a non-Twitter site. A Twitter spokesperson also said it suspects this third-party site “could have allowed hackers to gain access to email addresses and passwords. Those Twitter users who use the same email addresses and passwords could be affected.”
According to Twitter at least one account was compromised by a phisher. In that instance Twitter updates were sent out without the account owners knowledge, Twitter said. “While we’re still investigating and ensuring that the appropriate parties are notified, we do believe that the steps we’ve taken should ensure user safety,” Twitter says.
Twitter is no stranger to account hijacking. On Jan. 5, 2009, 33 prominent Twitterers (including Barack Obama and Britney Spears) had their accounts hacked by an individual. The hacker reportedly hacked the Twitter support tools (the tools Twitter uses to help users reset emails and passwords) and reset the passwords of the compromised accounts. In response to the attack, Twitter immediately shut down the support tools and restored the accounts to their rightful owners.
On May 21, 2009, Twitter was hit by a phishing attack in which phishers created fake Twitter accounts and began following legitimate Twitter users. The Twitter users received email notifications of their new followers, with a link that lead them to a fake Twitter site where they were prompted to enter their usernames and passwords.
Twitter isn’t alone grappling with phishing attacks. Recently Facebook joined forces with McAfee to offer it users free antivirus software and increased protection from third-party phishing attacks.
Since phishing attacks usually occur when people click on rogue links in emails (without checking to ensure that the emails are from who they say they’re from), there’s not much Twitter could have done to prevent the attack. However, security breaches like this one are unlikely to help Twitter’s falling growth rate.