Twitter Dealing with Phishing Attack

UPDATE AT 11 P.M. ET: Twitter director of trust and safety Del Harvey explained the reasons why some users of the microblogging service had to reset their passwords in a post on the Twitter Status Blog titled Reason #4132 for Changing Your Password. Highlights follow:

As part of our ongoing efforts to monitor our user base for odd activity, we noticed a sudden surge in followers for a couple of accounts in the last five days. Given the circumstances surrounding this, we felt it was best to push out a password reset to accounts that were following these suspicious users.

Torrent sites aren’t exactly “new”; however, this is one of the first times that we’ve seen an attack that came from this vector. It appears that for a number of years, a person has been creating torrent sites that require a login and password, as well as creating forums set up for torrent-site usage, and then selling these purportedly well-crafted sites and forums to other people innocently looking to start a download site of their very own. However, these sites came with a little extra — security exploits and back doors throughout the system. This person then waited for the forums and sites to get popular and then used those exploits to get access to the user name, email address, and password of every person who had signed up. Additional exploits to gain admin root on forums that weren’t created by this person also appear to have been utilized; in some instances, the exploit involved redirecting attempts to access the forums to another site that would request log-in information. This information was then used to attempt to gain access to third-party sites like Twitter. We haven’t identified all of the forums involved (nor is it likely that we’ll be able to, since we don’t have any connection with them), but as a general rule, if you’ve signed up for a torrent forum or torrent site built by a third party, you should probably change your password there.

Several Twitter users have received emails from the microblogging service, which Mashable reports are genuine, advising them that they need to change their passwords and supplying a link for them to do so.

The emails read: “Due to concern that your account may have been compromised in a phishing attack that took place off-Twitter, your password was reset.”

The Next Web updated the situation, blaming user account @THCx:

We’re hearing unconfirmed reports from Twitter users that this might be in regard to a user account @THCx. A thread on Twitter’s support system recommends that users change their passwords immediately if they are currently following that specific Twitter account.

@THCx, supposedly a tips/tutorials service, has managed to gain access to over 42,000 user accounts in a matter of days and doesn’t appear to be following one.

Blogger Andrew Girdwood detailed the experience on his blog, posting:

This morning, I had an email that really looked like it was from Twitter. It suggested that my password had been changed due to “phishing attack that took place off-Twitter.” I found myself thinking, “Sly, but not sly enough,” followed by, “Hey, that really does look like Twitter; there’s no hidden URL in the password reset.”

I checked Twitter. I couldn’t log in. My password really had changed.

So I copied the link to plain text, poked it some more, and decided to follow it. I had to change my password. A quick check of my account shows no extra followers or people followed. It shows no extra tweets or DMs.