Social networking firm outlines exploit that forced many users to reset their passwords
Social networking giant Twitter yesterday gave an explanation for the forced reset of user passwords that it issued earlier this week.
In an unusual blog by Del Harvey, director of trust and safety, Twitter offered details on the phishing attack that occurred through torrent sites.
"It appears that for a number of years, a person has been creating torrent sites that require a login and password, as well as creating forums set up for torrent site usage," the blog says. The perpetrator then sold "these purportedly well-crafted sites and forums to other people innocently looking to start a download site of their very own," Harvey says.
"However, these sites came with a little extra -- security exploits and backdoors throughout the system," Harvey continues. "This person then waited for the forums and sites to get popular, and then used those exploits to get access to the username, email address, and password of every person who had signed up.
"Additional exploits to gain admin root [access] on forums that weren't created by this person also appear to have been utilized," the blog says. "In some instances, the exploit involved redirecting attempts to access the forums to another site that would request log-in information. This information was then used to attempt to gain access to third party sites like Twitter."
Twitter hasn't identified all of the forums involved, and it probably won't be able to, Harvey says. "But as a general rule, if you've signed up for a torrent forum or torrent site built by a third party, you should probably change your password there," he advises.
The lesson: Don't use the same email address and password on multiple sites, Harvey warns.
"Through our discussions with affected users, we've discovered a high correlation between folks who have used third party forums and download sites and folks who were on our list of possibly affected accounts," the blog says. "While not all users who were sent a password reset request fall into this category, we felt that it was important to put this knowledge out there, so that users would know of the possibility of compromise of their data by a third party unrelated to their Twitter account."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author(s)
You May Also Like
Guarding the Cloud: Top 5 Cloud Security Hacks and How You Can Avoid Them
April 4, 2024Cybersecurity Strategies for Small and Med Sized Businesses
April 11, 2024Defending Against Today's Threat Landscape with MDR
April 18, 2024Securing Code in the Age of AI
April 24, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024Black Hat Asia - April 16-19 - Learn More
April 16, 2024