Users of the Twitter micro-blogging service are being warned to change their passwords after a round of phishing incidents hit thousands of Twitter users over the weekend. In addition, the company said in a blog post today that it discovered 33 Twitter accounts had been “hacked,” including CNN’s Rick Sanchez and President-elect Barack Obama.
“We immediately locked down the accounts and investigated the issue. Rick, Barack and others are now back in control of their accounts,” Twitter said in a blog post today.
The weekend problem involved messages apparently directing some users to Web sites that contain malicious code, with messages looking like they were sent by real Twitter users.
In an apparent tie-in to Macworld, which is running in San Francisco through Thursday, one phish today offered users a chance to win an iPhone if they provide their user names and passwords.
On its blog, Twitter is advising users to look closely at URLs they receive in tweets before signing in. On Saturday, in a follow up message, it told users to change their Twitter passwords if they think they need to.
A losing battle?
However, Twitter may be fighting a losing battle, according to Graham Cluley, senior technology consultant at security and antivirus vendor Sophos, who has been tracking the issue closely. “They’ve been doing a relatively good job of warning people, they’ve been trying to remove phishing messages from people’s screens, but this is running away from them,” Cluley told InternetNews.com.
Twitter co-founders Evan Williams, Biz Stone and lead engineer Alex Payne could not be reached for comment by press time.
The perils of tweeting
The Obama campaign account, which had not been used since election day, was hacked and used to send out an affiliate link to a survey, offering participants the chance to win $500 in gas money. Obama had made heavy use of Twitter throughout his campaign, and is the most followed person on the site according to Twitterholic.com, which provides statistics on the popularity of Twitter users.
CNN anchorman Rick Sanchez’s blog has a lively discussion about his Twitter problem. Hackers sent out a tweet that appeared it was sent from Sanchez, saying he would not be at work today because he was high on crack.
“This is pretty embarrassing for organizations and corporate bodies trying to use Twitter to keep in touch with people,” Sophos’ Cluley said. “It’s bad news for Twitter, which is trying to find a revenue stream.”
Having been constantly dogged by questions about whether Twitter can survive and make money, CEO and co-founder Evan Williams said in December that the site was looking at getting revenue in the first quarter of this year. This most recent spate of phishing attacks may make it harder for the site to make money.
The problem will spread because several users have already provided their personal information to the phishers, Cluley warned.
Twitter has been dogged by security issues for awhile, and back in July it posted a blog stating it was involved in an ongoing battle with spammers.
Sophos’ Cluley said Twitter needs to beef up its security. “Perhaps some sort of message should pop up saying ‘You’ve clicked on this link, is this really where you want to go’, and maybe they need to start scanning Twitter messages coming into their user accounts,” he said.
“The problem is that Twitter truncates incoming URLs to keep to its 140-character limit, and that opens up the system to hackers because users cannot see what link they are going to until after they have clicked on it.”