Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Twitter Mass Password Reset due to Phishing - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Twitter Mass Password Reset due to Phishing

Twitter is sending out a large number of e-mails, asking users to reset their passwords. It appears a large number of passwords got compromised in a recent phishing incident (mine included).

When I received the message at first, I considered the e-mail a phishing attempt in itself. But all the links appeared to be "good". If you receive an e-mail like this, I recommend the following procedure:

  1. delete the e-mail
  2. go to twitter by entering the link in your browser. Best: use https://www.twitter.com (httpS not http) (hey. I got a link for you to make it easier ;-) https://www.twitter.com
  3. change your password.
  4. do not reuse the password, do not use a simple password scheme (like "twitterpassword" and "facebookpassword")

I know it is hard. A lot of people will advice against writing the password down, or using a "password safe" application. But considering the risks, I am tend to advice people to rather write down the passwords or use a password safe application compared to using bad / repeating passwords.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS Brussels September 2019

Johannes

3608 Posts
ISC Handler
Thanks for the link. ;-)

While I know that the number of phishing attempts has likely grown, the number that are making it through my spam filters has decreased significantly.
Anonymous
Thanks Johannes. Obviously the phishing particulars were very good in order to catch an expert like yourself. Would you post a technical description of the phish attack?
Anonymous
I don't know which phish I fell for :( (or if I fell for any of them). It may just be that I visited a phishing site while investigating a known phish and as a result showed up as "infected" in Twitter's logs. One reason is that they may have listened to what I wrote a few years back, and looked through their referrer logs if any users loaded for example images from twitter.com with a referral from the phishing site.

The e-mail I got last night, asking me to reset my password, was authentic. But yes, it would be nice to know what that phish looked like.

Another possible "phishing" exploit are web sites that ask you for twitter credentials to post directly from the site to twitter. I visited one such site yesterday. Have to look at it closer.

Regarding spam filters and phishing: The problem are usually the few good phishing e-mails that make it past the filter.
Johannes

3608 Posts
ISC Handler
Slightly off-topic, but why would anyone advice against using a password safe application? As far as I'm concerned, that's the only way to have secure, unique passwords for every website... there is no way anyone can remember a couple dozen of "5rAYa!hE2h#b" passwords. Remembering one of these to authenticate to the password safe is hard enough.

P.S. No, that is not my password :)
oleksiy

34 Posts
I suspect that the problem is using a password safe app that uses insufficient protection. It gives you a false sense of security.
AndrewB

24 Posts
I also use 1Password on my iPhone and my Mac.
The passwords are protected by a strong password (and strong encryption/security), and I usually uses generated passwords. This is way better than weak passwords.

It make it almost impossible to hack my passwords. Hackers need to get access to my phone or my computer. Or use extended charset in their rainbow tables if they get hashes off a website. And they can not use my twitter password to go anywhere else.

A good password safe is the way to go.
Povl H.

71 Posts
Twitter have announced the reason for the password change here:-

http://status.twitter.com/post/367671822/reason-4132-for-changing-your-password

A good example of why you should use different passwords for any type of account you setup :)
Povl H.
4 Posts
The correct URL for twitter is https://twitter.com

https://www.twitter.com uses an invalid security certificate. The certificate is only valid for twitter.com (Error code: ssl_error_bad_cert_domain)


Anonymous

Sign Up for Free or Log In to start participating in the conversation!