On Wednesday, Twitter was hit by a phishing attack. The company reset thousands of passwords as a result, but now the company says it reset more passwords than was necessary.
The BBC reported, “Thousands of Twitter users have received emails warning their account has been compromised by a third party. Some accounts had been compromised, but other users had received the emails after Twitter had unintentionally reset unaffected passwords, the company said. The mass email coincided with incidents involving several high-profile accounts, including at least one account belonging to the BBC. Other media organisations, such as the TechCrunch blog, reported being warned.”
Charles Arthur from The Guardian noted, “Some of the attempted hacks used phrases like ‘serious gossip’ or ‘that video’ or ‘saying bad things [about you]’ with a link to a phishing or malware site.”
TechCrunch posted a statement that Twitter issued in response to widespread concerns about the password resets. The statement said, “We’re committed to keeping Twitter a safe and open community. As part of that commitment, in instances when we believe an account may have been compromised, we reset the password and send an email letting the account owner know this has happened along with information about creating a new password. This is a routine part of our processes to protect our users. In this case, we unintentionally reset passwords of a larger number of accounts, beyond those that we believed to have been compromised. We apologize for any inconvenience or confusion this may have caused.”
The Wall Street Journal’s Matthew Lynley noted that the password resets caused some overreactions and added, “The mistake even caused paranoia in China, where a number of prominent China activists and journalists received notifications from Twitter.”