|
Twitter is sending out a large number of e-mails, asking users to reset their passwords. It appears a large number of passwords got compromised in a recent phishing incident (mine included). When I received the message at first, I considered the e-mail a phishing attempt in itself. But all the links appeared to be "good". If you receive an e-mail like this, I recommend the following procedure:
I know it is hard. A lot of people will advice against writing the password down, or using a "password safe" application. But considering the risks, I am tend to advice people to rather write down the passwords or use a password safe application compared to using bad / repeating passwords.
------ |
Johannes 4306 Posts ISC Handler Feb 2nd 2010 |
| Thread locked Subscribe |
Feb 2nd 2010 1 decade ago |
|
Thanks for the link.
 While I know that the number of phishing attempts has likely grown, the number that are making it through my spam filters has decreased significantly. |
Anonymous |
| Quote |
Feb 2nd 2010 1 decade ago |
|
Thanks Johannes. Obviously the phishing particulars were very good in order to catch an expert like yourself. Would you post a technical description of the phish attack?
|
Anonymous |
| Quote |
Feb 2nd 2010 1 decade ago |
|
I don't know which phish I fell for :( (or if I fell for any of them). It may just be that I visited a phishing site while investigating a known phish and as a result showed up as "infected" in Twitter's logs. One reason is that they may have listened to what I wrote a few years back, and looked through their referrer logs if any users loaded for example images from twitter.com with a referral from the phishing site.
The e-mail I got last night, asking me to reset my password, was authentic. But yes, it would be nice to know what that phish looked like. Another possible "phishing" exploit are web sites that ask you for twitter credentials to post directly from the site to twitter. I visited one such site yesterday. Have to look at it closer. Regarding spam filters and phishing: The problem are usually the few good phishing e-mails that make it past the filter. |
Johannes 4306 Posts ISC Handler |
| Quote |
Feb 2nd 2010 1 decade ago |
|
Slightly off-topic, but why would anyone advice against using a password safe application? As far as I'm concerned, that's the only way to have secure, unique passwords for every website... there is no way anyone can remember a couple dozen of "5rAYa!hE2h#b" passwords. Remembering one of these to authenticate to the password safe is hard enough.
P.S. No, that is not my password :) |
oleksiy 34 Posts |
| Quote |
Feb 3rd 2010 1 decade ago |
|
I suspect that the problem is using a password safe app that uses insufficient protection. It gives you a false sense of security.
|
AndrewB 24 Posts |
| Quote |
Feb 3rd 2010 1 decade ago |
|
I also use 1Password on my iPhone and my Mac.
The passwords are protected by a strong password (and strong encryption/security), and I usually uses generated passwords. This is way better than weak passwords. It make it almost impossible to hack my passwords. Hackers need to get access to my phone or my computer. Or use extended charset in their rainbow tables if they get hashes off a website. And they can not use my twitter password to go anywhere else. A good password safe is the way to go. |
Povl H. 77 Posts |
| Quote |
Feb 3rd 2010 1 decade ago |
|
Twitter have announced the reason for the password change here:-
http://status.twitter.com/post/367671822/reason-4132-for-changing-your-password A good example of why you should use different passwords for any type of account you setup :) |
Povl H. 4 Posts |
| Quote |
Feb 3rd 2010 1 decade ago |
|
The correct URL for twitter is https://twitter.com
https://www.twitter.com uses an invalid security certificate. The certificate is only valid for twitter.com (Error code: ssl_error_bad_cert_domain) |
Anonymous |
| Quote |
Feb 3rd 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
