Twitter has erupted with people complaining about being asked to reset their passwords after being told they have been a victim of a phishing attack.
It’s not clear if the attack is legit, or if it’s the Twitter platform playing up, but either way it seems fairly serious. When many users are logging into the Twitter web interface, they are being met by one of the following messages:
“Due to concern that your account may have been compromised in a phishing attack that took place off-Twitter, your password was reset,” and “due to concern that your account may have been compromised in a phishing attack, your password was reset.”
The site then forces the user to change their password before allowing them to login again. To be clear: it’s normal procedure for sites to reset passwords for users who are suspected to have had their accounts compromised, but in this case it seems many users are baffled as to how they could have been attacked.
Some users also received an email about an off-site phishing attack that has led to the compromisation of accounts, but at this stage it’s unclear what site was attacked and how wide-scale the damage is.
We’ll update this post once we know more about what’s going on.
UPDATE: Twitter have made the following statement about the issue:
As part of our ongoing efforts to monitor our user base for odd activity, we noticed a sudden surge in followers for a couple accounts in the last five days. Given the circumstances surrounding this, we felt it was best to push out a password reset to accounts that were following these suspicious users.
Then we started doing some digging and, given what we found today, we felt it important to share this information. An outline of what appears to have happened follows …
Torrent sites aren’t exactly “new”; however, this is one of the first times that we’ve seen an attack that came from this vector. It appears that for a number of years, a person has been creating torrent sites that require a login and password as well as creating forums set up for torrent site usage and then selling these purportedly well-crafted sites and forums to other people innocently looking to start a download site of their very own. However, these sites came with a little extra — security exploits and backdoors throughout the system. This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up. Additional exploits to gain admin root on forums that weren’t created by this person also appear to have been utilized; in some instances, the exploit involved redirecting attempts to access the forums to another site that would request log-in information. This information was then used to attempt to gain access to third party sites like Twitter. We haven’t identified all of the forums involved (nor is it likely that we’ll be able to, since we don’t have any connection with them), but as a general rule, if you’ve signed up for a torrent forum or torrent site built by a third party, you should probably change your password there.
The takeaway from this is that people are continuing to use the same email address and password (or a variant) on multiple sites. Through our discussions with affected users, we’ve discovered a high correlation between folks who have used third party forums and download sites and folks who were on our list of possibly affected accounts. While not all users who were sent a password reset request fall into this category, we felt that it was important to put this knowledge out there so that users would know of the possibility of compromise of their data by a third party unrelated to their Twitter account. We strongly suggest that you use different passwords for each service you sign up for; more information on how to keep your Twitter account safe can be found here: http://twitter.zendesk.com/forums/10711/entries/76036.
Director, Trust and Safety
Update: TechCrunch have picked up on the issue, and have managed to get a statement out of Twitter, who we still haven’t heard back from.
“As part of Twitter’s ongoing security efforts, we reset passwords for a small number of accounts that we believe may have been compromised offsite. In one case, a number of accounts posted updates indicative of giving their username and password to untrusted third parties. While we’re still investigating and ensuring that the appropriate parties are notified, we do believe that the steps we’ve taken should ensure user safety.”
It’s thought that some of the ‘get followers fast’ campaigns may have something to do with the attack, but Twitter aren’t confirming this yet.