Twitip

It’s been a bad week for Twitter – over the weekend the community was attacked by a Phishing Scam attack and in the last 24 hours 33 high profile Twitter users had their accounts hacked. These accounts included President Elect Barack Obama, Rick Sanchez, Britney Spears and other high profile/celebrity Twitter users.

Twitter explained what happened in a post on their blog:

“The issue with these 33 accounts is different from the Phishing scam aimed at Twitter users this weekend. These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can’t remember or get stuck. We considered this a very serious breach of security and immediately took the support tools offline. We’ll put them back only when they’re safe and secure.”

To be fair to Twitter – both this situation and the Phishing one were responded to quickly by Twitter however it does show that Twitter is increasingly being targeted by malicious attacks and should serve as a warning to those using Twitter to expect the unexpected. While there wasn’t anything that those who had their accounts hacked could have done to prevent this – do keep your password secret and regularly updated.

Twitter does seem to be moving towards a more secure system with an beta test of OAuth scheduled for later this month – but until it goes live (and even after it) be a little more alert than normal.

Twitter have alerted Twitter users that there has been a Phishing attack on many of their users over the weekend. You can read their full post (with updates) on it on their blog.

The Phishing ’scam’ went like this:

Emails were sent out to Twitter users that resembled emails you’d get if you got a Direct Message. The email said that a blog post had been written about the Twitter user and contained a link. The link led to a page that looked like the Twitter front page – complete with a login form.

It seems that quite a few Twitter users didn’t realize that they were not on the front page of Twitter and logged in anyway – in doing so giving their login details.

Once this happened the second wave of attack has set in with those people who gave away their login details now having their accounts being used to send DM’s to their friends telling their friends to check out a link on a blog. Again these links were directed to a page looking like a Twitter front page.

It seems that the attack didn’t have much more agenda than to cause trouble as to this point there are only reports of the information being used to keep the scam going – but none the less many Twitter accounts seem to have been compromised (I’ve had 20+ DMs from legit Twitter users in the last 12 hours).

Twitter have acted pretty quickly and have reset the passwords on accounts that have been compromised and have reported the URLs concerned to OpenDNS’ and Google’s reported phishing lists. I just visited the page and firefox warned me of the danger.

If you’re trying to login to Twitter and your password has been reset by Twitter you can reset it here.

Update – it seems that the phishers are now starting to send DMs using the accounts of those who have given their login details that invite people to visit an iPhone site. While Twitter say they’ve changed people’s passwords I’m still getting quite a few of these DMs. Looks like this Phishing thing has still got legs!