Twitter's director of Trust and Safety Del Harvey recently spoke in a blog post about the company's move to send password resets to a number of accounts. After observing "a sudden surge in followers for a couple accounts" in the days prior to the announcement, they have started to investigate the source of this unusual activity and have been able to link the events to various torrent sharing Web sites and forums.
It seems though that it is not necessarily the owner of the Web sites as much as their creator who is responsible for the hijacking of Twitter accounts. According to Del Harvey,"It appears that for a number of years, a person has been creating torrent sites that require a login and password as well as creating forums set up for torrent site usage and then selling these purportedly well-crafted sites and forums to other people innocently looking to start a download site of their very own. However, these sites came with a little extra — security exploits and backdoors throughout the system. This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up."
It would at first appear that only the accounts of those sites and forums would be at risk following such an intrusion. But the thing is most people only use a single email address all the time, and a great number of people also use the same password for their accounts on several Web sites, or with some minor differences. The hacker could therefore use the email address / password combinations to get into Twitter accounts and do whatever he wanted.
Twitter could not precise exactly what where the vulnerable Web sites or how many there were, because they probably never will be able to find them all. The general advice, though, is that if you have an account on a third-party torrent sharing Web site or forum, you should change your password there, on Twitter and wherever you used the same password. Having different email address or username / password combinations for different accounts should become a regular practice to mitigate potential account hijackings of this sort.
This is one thing that Harvey emphasizes on at the end of his blog post, also giving a link to a Twitter-provided page of basic security measures and general guidelines when it comes to protecting your data and identity on the Internet.
|
