Twitter on Tuesday said it had to reset passwords for “a small number of
accounts” after the microblogging site was targeted by a phishing attack.
The site said that attackers had attempted to steal the login information
of users who had used their Twitter password username and password to sign
up for an untrusted third-party application. Officials didn’t disclose just
how many accounts had their passwords changed, saying only that the
third-party application had used the login information to post tweets to
their accounts.
“As part of Twitter’s ongoing security efforts, we reset passwords for a
small number of accounts that we believe may have been compromised offsite,”
Twitter said in a statement. “While we’re still investigating and ensuring
that the appropriate parties are notified, we do believe that the steps
we’ve taken should ensure user safety.”
Being able to rapidly share information, links, photos and videos is big
part of Tw
itter’s allure. But their popularity has long made them a prime target
for online criminals.
“Social networks are large, successful targets because phishers exploit
the trust the recipients have in their own social networks,” Jamie
Tomasello, abuse operations manager at security software maker Cloudmark,
said in an e-mail to InternetNews.com. “The phisher also takes
advantage of our natural curiosity to look at links in messages with
sensational subject lines and our immediate desire to react to a warning
message.”
“Users receiving these types of messages should pause before responding,
verify the sender, and ultimately go to the site directly instead of
clicking on the link in the message,” she added.
Additionally, many users are simply not careful enough in safeguarding
their login information. Third-party sites such as twitpic.com, TweetDeck
and twhirl require users to input their Twitter login information, but
security experts say the practice of reusing usernames and passwords on
multiple sites can lead to security breakdowns.
This isn’t the first time Twitter has been targeted by
hackers. In August, a denial-of-service attack perpetrated by a botnet
delivered a flood of traffic that temporarily disabled Twitter and slowed
Facebook and other services.
Twitter officials this week were quick to point out that the site hadn’t
been the source of a data breach and advised users to continue checking for
updates on the situation at Twitter feeds @safety and @spam throughout the
day.
Additionally, some users are receiving e-mails from Twitter recommending
that they create a new password by following a provided link or by logging
in directly at twitter.com.
Larry Barrett is a senior editor at InternetNews.com, the news service of
Internet.com, the network for
technology professionals.
