Twitter Mass Password Reset due to Phishing
Twitter is sending out a large number of e-mails, asking users to reset their passwords. It appears a large number of passwords got compromised in a recent phishing incident (mine included).
When I received the message at first, I considered the e-mail a phishing attempt in itself. But all the links appeared to be "good". If you receive an e-mail like this, I recommend the following procedure:
- delete the e-mail
- go to twitter by entering the link in your browser. Best: use https://www.twitter.com (httpS not http) (hey. I got a link for you to make it easier ;-) https://www.twitter.com
- change your password.
- do not reuse the password, do not use a simple password scheme (like "twitterpassword" and "facebookpassword")
I know it is hard. A lot of people will advice against writing the password down, or using a "password safe" application. But considering the risks, I am tend to advice people to rather write down the passwords or use a password safe application compared to using bad / repeating passwords.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
Comments
While I know that the number of phishing attempts has likely grown, the number that are making it through my spam filters has decreased significantly.
David
Feb 2nd 2010
1 decade ago
n3kt0n
Feb 2nd 2010
1 decade ago
The e-mail I got last night, asking me to reset my password, was authentic. But yes, it would be nice to know what that phish looked like.
Another possible "phishing" exploit are web sites that ask you for twitter credentials to post directly from the site to twitter. I visited one such site yesterday. Have to look at it closer.
Regarding spam filters and phishing: The problem are usually the few good phishing e-mails that make it past the filter.
Dr. J
Feb 2nd 2010
1 decade ago
P.S. No, that is not my password :)
Alex
Feb 3rd 2010
1 decade ago
AndrewB
Feb 3rd 2010
1 decade ago
The passwords are protected by a strong password (and strong encryption/security), and I usually uses generated passwords. This is way better than weak passwords.
It make it almost impossible to hack my passwords. Hackers need to get access to my phone or my computer. Or use extended charset in their rainbow tables if they get hashes off a website. And they can not use my twitter password to go anywhere else.
A good password safe is the way to go.
PHP
Feb 3rd 2010
1 decade ago
http://status.twitter.com/post/367671822/reason-4132-for-changing-your-password
A good example of why you should use different passwords for any type of account you setup :)
BigTomUK
Feb 3rd 2010
1 decade ago
https://www.twitter.com uses an invalid security certificate. The certificate is only valid for twitter.com (Error code: ssl_error_bad_cert_domain)
Mike A.
Feb 3rd 2010
1 decade ago