MICROBLOGGING SERVICE Twitter has been forced to issue a post advising users to change their passwords after it discovered a filesharing scam targeting its users' accounts.
Twitter discovered strange activity after it saw a sudden surge of followers over the past few days on a couple of accounts. After digging around, its team found that the accounts were set up to link to dodgy Bittorrent sites that were created to steal usernames and passwords.
Del Harvey, Twitter's director of trust and safety, described the problem by saying, "It appears that for a number of years, a person has been creating torrent sites that require a login and password as well as creating forums set up for torrent site usage and then selling these purportedly well-crafted sites and forums to other people innocently looking to start a download site of their very own. However, these sites came with a little extra - security exploits and backdoors throughout the system. This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up."
In the post Harvey also said that Twitter had changed the accounts affected and urges its users to have multiple passwords for different services. "The takeaway from this is that people are continuing to use the same email address and password (or a variant) on multiple sites."
Spam attacks and phishing on Twitter are on the increase with a 70 per cent rise in attacks and won't be going away any time soon. Only this morning Twitter was forced to urge other users to change their details after a phishing attack, asking users to be on the lookout for any unusual third party activity.
Scottish blogger Andrew Girdwood was one of the users who received a post saying, "Due to concern that your account may have been compromised in a phishing attack that took place off-Twitter, your password was reset. Please create a new password by opening this link in your browser. ... Remember to choose a strong password that is a combination of letters, numbers, and symbols. Do not reuse your old password."
Twitter acknowledged the password problem with a tweet on safety that said, "Got an email from us saying we've reset your password? A small # of accts seemed possibly affected offsite & we took a precautionary step."
Next of course the phishing scammers will be sending out their own emails a lot like those, linked to their own fake websites. And so it goes. µ