Risk
11/9/2012
09:02 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Twitter Password Security: 5 Things To Know

Twitter's response to compromised accounts teaches us lessons in social (networking) security.

How 6 Tech Execs Set Social Example
How 6 Tech Execs Set Social Example
(click image for larger view and for slideshow)
If you know anything about phishing, you know that a common tactic is to send an email -- under the guise of a commonly used service -- that includes some kind of provocative come-on. Sometimes the email will say that an account has been compromised and that a password reset is required. The idea is to get people to click through to a site and give up their personal info.

But what if a real company sends a real email warning to users that they may have been compromised by a phish from a fake company using a bogus email? Confused?

So were Twitter users on Thursday after all of this happened to them. Here are five things you should know about the alleged Twitter hack, and some things you can do to stay safe (or at least safer).

1. This week, some personal and business Twitter accounts, including TechCruch, fell prey to a phishing scheme of some kind.

2. Hacked Twitter accounts sent out messages promising special "deals" for those who clicked through a link included with the email. The emails, and the site, were not legitimate.

3. As a result, and to be on the safe side, Twitter reset passwords. A lot of passwords. This practice is in keeping with what Twitter states on its Help Center page: "If we suspect your account has been phished or hacked, we may reset your password to prevent the hacker from misusing your account."

[ Learn from those who are doing it right. Read 7 Lessons From Social Business Leaders. ]

4. Twitter sent an email to "affected" users. TechCrunch published the text of the email, which said: "Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account." The email went on to instruct users to create a new password for their Twitter accounts. Unfortunately, users were instructed to select a new password by clicking on a link from the email -- something end users are taught not to do if they are unsure of the source.

5. Twitter acknowledged on its status site that it may have overdone the password resets: "We're committed to keeping Twitter a safe and open community," the blog said. "As part of that commitment, in instances when we believe an account may have been compromised, we reset the password and send an email letting the account owner know this has happened along with information about creating a new password. This is a routine part of our processes to protect our users. In this case, we unintentionally reset passwords of a larger number of accounts, beyond those that we believed to have been compromised. We apologize for any inconvenience or confusion this may have caused."

Twitter also directed users to its support site, which provides tips for keeping accounts and passwords safe. Twitter's recommendations include:

-- Use a strong password.

-- Watch out for suspicious links, and always make sure you're on Twitter.com before you enter your login information.

-- Make sure your computer and operating system is up-to-date with the most recent patches, upgrades and anti-virus software.

-- Make sure you're on Twitter.com before logging in: Whenever you are prompted to enter your Twitter password, just take a quick look at the URL and make sure you're actually on Twitter.com.

-- If you're using a public computer, like at a library or school, make sure you always sign out of Twitter when you're done.

Were you a victim of the phishing scheme? Regardless, did Twitter change your password on you? What did you think of the process? Please let us know in the comments section below.

Follow Deb Donston-Miller on Twitter at @debdonston.

Online retailers are stuck in a maze of e-business security and PCI compliance requirements. The new, all-digital special issue of Dark Reading gives you 10 Ways To Secure Web Data. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Eric_Brown
50%
50%
Eric_Brown,
User Rank: Apprentice
11/12/2012 | 4:55:35 PM
re: Twitter Password Security: 5 Things To Know
The first thing should be THERE IS NO SECURITY! They say GǣWeGre committed to keeping Twitter a safe and open community and educating you, our users, about the best ways to keep your accounts secureGǥ. I find it kind of amusing that they virtually want to be hacked, spammed and viewed as not being secure by telling people like they have in the past, that you need to learn how to manage the damage when you get GǣcompromisedGǥ. And they will continue to be HACKED defrauded and a continual source of annoying spam until they implement stronger guidelines and in my opinion implement some form of 2FA (two-factor authentication) where you can telesign into your account.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.