Just days after popular social networking tool Twitter was hit with a phishing scam, the company is now trying to clean up a mess surrounding a separate hacking attack.
Over the weekend, some Twitter users received tweets (as Twitter messages are called) inviting them to visit certain sites or blogs. The URL in the message redirected users to a bogus login page in an attempt to steal login credentials for a phishing scheme. Monday, things got worse as Twitter officials revealed several high profile accounts, such as those of Britney Spears and Barack Obama, were hacked.
"It appears someone gained access to the tools Twitter uses to control its millions of accounts," explained Graham Cluley, a senior technology consultant at security firm Sophos PLC. "Internal tools used by the tech support team were compromised. It's not clear if it was an inside job, or outside hacker. Twitter does say they think it was an individual."
The hack, according to Cluley, is much more serious than the earlier phishing attack because it was compromise of the system that potentially exposed all Twitter users to the following dangers.
Fraudalent password use
If you gain access to someone's Twitter account, you might be able to gain access to their password, said Cluley.
"We know that 41 percent of people admit to using the same password on every web site and account that they access," he said. (See How to Write Good Passwords for advice on creating a set of passwords that are memorable but not identical.)
Hackers, while gaining access to something seemingly simply like a username and password to a non-critical account, may very well be able to use the information to gain access to more important information, such as your bank account.
Twitter officials said 33 accounts had been attacked in the latest hack, including high-profile users such as Britney Spears and Barack Obama. The hackers used their temporary access to send offensive messages. CNN journalist Rick Sanchez found his account had been hacked with a message that read "i am high on crack right now might not be coming to work today."
The damage could have been much worse, said Cluley, if the hacker had decided to take a different approach.
"Imagine if instead, in the case of Britney Spears account for example, that the hacker had posted a link that said: 'Here's my new video. Click on this link.' Imagine how many people would have clicked on that and it could have pointed to malware? And Barack Obama is one of the most followed people on Twitter. If he said: 'I've just made a new speech. Check it out.' a lot of people would click on that link and get infected."
Identity theft Facebook and other Web 2.0 tools, it is always possible people are sharing too much information, said Cluley, which could be useful for the purpose of identity theft or other illegal activity.
Much like with
"Imagine you have fraudulent access to an account and you have ex you are stalking? There may be information up there you dont want people to have."
Cluley said ultimately this news begs the question of why weren't Twitter systems more secure and what are the implications for the company.
"Some people are saying this ruins Twitter," said Cluley. "Twitter had been looking for a business model, a way to make money, and now that is no longer viable, according to some criticism. But I would say if that were the case, then e-mail and web sites would be no longer viable either. People are still going to carry on using Twitter. Twitter is becoming an enormous success story. This really is the first big headache theyve had. But it's an appalling start of the year for them on the security side."