Some users of microblogging site Twitter have been encouraged to change their passwords following ‘suspicious users' that they were following.
In a blog update titled ‘Reason #4132 for Changing Your Password', Twitter's director for health and safety Del Harvey said that the site had ‘noticed a sudden surge in followers for a couple [of] accounts in the last five days' and given the circumstances surrounding this, it pushed out a password reset to accounts that were following these suspicious users.
The Twitter safety feed displayed a tweet saying: “Got an email from us saying we've reset your password? A small [number] of [accounts] seemed possibly affected offsite and we took a precautionary step.”
Harvey hinted at a compromise by a third party on the accounts. He said: “Torrent sites aren't exactly ‘new'; however, this is one of the first times that we've seen an attack that came from this vector. It appears that for a number of years, a person has been creating torrent sites that require a login and password, as well as creating forums set up for torrent site usage and then selling these purportedly well-crafted sites and forums to other people innocently looking to start a download site of their very own.
“However, these sites came with a little extra — security exploits and backdoors throughout the system. This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address and password of every person who had signed up.”
He further claimed that additional exploits to gain admin root on forums, which were not created by this person, also appear to have been utilised and in some instances, the exploit involved redirecting attempts to access the forums to another site that would request login information. This information was then used to attempt to gain access to third party sites such as Twitter.
Harvey said: “We haven't identified all of the forums involved (nor is it likely that we'll be able to, since we don't have any connection with them), but as a general rule, if you've signed up for a torrent forum or torrent site built by a third party, you should probably change your password there.”
Twitter said that there was a ‘high correlation between folks who have used third party forums and download sites and folks who were on our list of possibly affected accounts'. It strongly suggested that you use different passwords for each service you sign up for.
Stephen Howes, CEO of GrIDsure, said: “The Twitter hacking case is yet another demonstration of the inherent weakness of fixed passwords. Not only are they easy to break, but the same password is often used across a number of consumer and business accounts because they are not easy to remember – clearly shown by the ‘forgot my password' feature present on the password login screen.
“In order to genuinely improve security, organisations need to abandon login systems based on fixed passwords and PINs and replace this flawed method of authentication with a one-time passcode method. By making this change, organisations will reduce cases of data loss and identity theft while also saving money and improving customer satisfaction to boot."