Users have been calling out Twitter for its vulnerable account authentication for some time now, but the social network still remains mum about the apparent holes in its security. Today Twitter was finally subject to its largest attack, which due to its scale, forced the company to send user-wide alerts via email notifying its users that their accounts have been compromised.
In an email sent this early this morning, Twitter had acknowledged that accounts had been compromised by a third-party site, and urged its users to change their passwords. We checked Twitter and noticed that many compromised accounts were used to tweet spam, but the original users have been able to regain access to them.
Here’s what Twitter said in the email:
“Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We’ve reset your password to prevent others from accessing your account.
You’ll need to create a new password for your Twitter account. You can select a new password at this link: https://twitter.com/pw_rst/…
As always, you can also request a new password from our password-resend page: https://twitter.com/account/resend_password
Please don’t reuse your old password and be sure to choose a strong password (such as one with a combination of letters, numbers, and symbols).
In general, be sure to:
Always check that your browser’s address bar is on a https://twitter.com website before entering your password. Phishing sites often look just like Twitter, so check the URL before entering your login information!
Avoid using websites or services that promise to get you lots of followers. These sites have been known to send spam updates and damage user accounts.
Review your approved connections on your Applications page at https://twitter.com/settings/applications. If you see any applications that you don’t recognize, click the Revoke Access button.
For more information, visit our help page for hacked or compromised accounts.
-The Twitter Team”
Earlier last month, Dennis Jones and his Twitter handle @blanket was hacked, which lead him to discover a mature black market for hacked Twitter, Minecraft, and YouTube accounts. Each account can sell for as little as $60. Digging deeper, we discovered that hacking Twitter accounts as basically become child’s play. Many “hackers” are simply teenagers who browse forums like hackforums.net. These communities are full of tutorials that can guide anyone step-by-step through taking over coveted Twitter handles. These forums are also a proliferating marketplace for selling or trading programs used in malicious virtual attacks, including cracking passwords.
Update: Twitter has responded to us and directed us the statement provided in the company’s blog post about the incident:
“We’re committed to keeping Twitter a safe and open community. As part of that commitment, in instances when we believe an account may have been compromised, we reset the password and send an email letting the account owner know this has happened along with information about creating a new password. This is a routine part of our processes to protect our users.
In this case, we unintentionally reset passwords of a larger number of accounts, beyond those that we believed to have been compromised. We apologize for any inconvenience or confusion this may have caused.
As always, we recommend that people review these tips on how to keep their Twitter accounts secure: