bugshaw: (Twitter)
Bridget ([personal profile] bugshaw) wrote2013-02-02 07:50 am
  • Add Memory
  • Share This Entry

Twitter security compromise

I got a couple of emails in the early hours from Twitter, saying "Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account.
You'll need to create a new password for your Twitter account. You can select a new password at this link..."

* The email appeared to come from twitter, and specifically the same email address they use to send to my account (which contains a rot-13'd version of my email address).
* The links in the email looked legitimate, and they gave an alternative method to reset by typing the usual Twitter page into the browser and following menus.
BUT
* They addressed me as "@bugshaw" or "Dear Twitter user" where every other email I have had from Twitter addresses me as "$Full name associated with the account".

How suspicious do I need to be?

As there is a blog post about it I've gone with the password change, but it's interesting how our brains get trained into suspicion.
http://blog.twitter.com/2013/02/keeping-our-users-secure.html
Flat | Top-Level Comments Only

[identity profile] techiebabe.livejournal.com 2013-02-02 09:41 am (UTC)(link)
It is mentioned in the guardian too, so Id say legit.

http://www.guardian.co.uk/technology/2013/feb/02/twitter-hacked-accounts-reset-security

[identity profile] http://users.livejournal.com/la_marquise_de_/ 2013-02-02 10:16 am (UTC)(link)
I would have been suspicious as well, I have to say.

[identity profile] murphys-lawyer.livejournal.com 2013-02-02 10:53 am (UTC)(link)
As someone who reminds/trains colleagues about the constant scamming that uses this method, I'd say you were suspicious enough.

If there's a contact point at Twitter I'd suggest you point out your suspicions to them.
redbird: closeup of me drinking tea, in a friend's kitchen (Default)

[personal profile] redbird 2013-02-02 12:35 pm (UTC)(link)
I got the same thing, and dealt with it by going to twitter.com without following the links, and telling it to reset my password.

I get enough real random "reset your password" emails from Twitter that I almost ignored this. (Is it my fault that people enter the username they wish they had, rather than the one they do, for "reset my password"?)

[identity profile] surliminal.livejournal.com 2013-02-02 03:48 pm (UTC)(link)
As I understand it, the hack was real enough, but any email sent out with a link in it to where you were meant to redo password was a pilotfIsh scam.
I ignored 2 and I'd not reset password - weirdly Twitter was still ok on phone but not on iPad. I prob had better change password but am bemused. Also annoyed as I reset Twitter password only last wk when foolishly caught bug ..
Edited 2013-02-02 15:48 (UTC)

[identity profile] bovil.livejournal.com 2013-02-02 05:53 pm (UTC)(link)
The funny thing is people are more suspicious of the official Twitter mail than they are of "you gotta see this pic of you! http://cr.ap/junk" direct messages that spread this last attack, and pretty much every twitter attack in history.

I got 2, maybe 3 of them this time, deleted them and wasn't impacted.
uitlander: (Default)

[personal profile] uitlander 2013-02-03 09:54 am (UTC)(link)
We have this problems with the cancellation messages we send to people. We try and make them not look like phishing messages, but inevitably a percentage of people claim they thought the warning was spam.

It's difficult - we publish details of how we cancel accounts on our website, and also run publicity campaigns. Some people seem to think we should phone them or send them a letter, but with 1,000 people a month that is not a viable option.

Generally we want people to err on the side of suspicious. Its not an easy one.
Flat | Top-Level Comments Only