Twitter force some users to change their password due to suspected phishing attack

I got a shock last evening when I couldn’t login my Twitter account. I’m sure I typed the correct password. But after 3 tries, my account was locked out for 1 hour. Something is fishy here. I tried to request for a password reset even though I’m definitely sure that I got the right password. That’s when I saw another email from Twitter that came a couple of hours ago. It said that my Twitter account may have been compromised in a phishing attack.

That email itself looks like a phishing email. But it isn’t. It is really from Twitter and they really reset my password. That’s why I couldn’t login to Twitter.
NOTE: If you got similar email, I suggest that you do not click on the link. Instead, go to Twitter website directly and reset your password manually. Just to be safe, since you are not the person who requested for the password reset.
Mashable reports that this could be linked to @THCx user on Twitter. That explains why I was following that account yesterday morning when I’ve never seen that nick before. I didn’t thought that my account was compromised. I just thought that it might be a bug or I might have accidentally click follow. (Or some stupid website that makes me automatically follow their Twitter account after I use them)
I didn’t thought about reporting them or anything. Damn. Now I feel stupid. How could I just ignore this common symptom of a compromised account?
Twitter updated it’s status blog on what happen. It appears that for a number of years, a person has been creating torrent sites that require a login and password as well as creating forums set up for torrent site usage and then selling these purportedly well-crafted sites and forums to other people innocently looking to start a download site of their very own. However, these sites came with a little extra — security exploits and backdoors throughout the system. This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up. Additional exploits to gain admin root on forums that weren’t created by this person also appear to have been utilized; in some instances, the exploit involved redirecting attempts to access the forums to another site that would request log-in information. This information was then used to attempt to gain access to third party sites like Twitter.
Hmmm….. I don’t remember registering for any torrent forums. But it’s quite hard for me to pin-point which forum is that since they said the person might have waited for a number of years. Maybe I’ve registered for one several years ago but I forgot?
WHAT I do know is that I should change all my password. Serve me right for reusing my password for some accounts. This is bad bad IT practice. I know. They taught me in school. Never reuse your password for different websites login. I just choose to ignore it. Tsk tsk.
OK, you may laugh at me in the comment section.

3 comments

Leave a Reply

Your email address will not be published. Required fields are marked *