John Paczkowski

Recent Posts by John Paczkowski

Twitter: We Reset Some Passwords as Security Measure

According to Sophos’s 2010 Security Threat Report, there has been a dramatic rise in attacks on social networks in the past year. So reports this morning from a number of Twitter users claiming they’ve received an email from Twitter asking them to reset their passwords after a suspected phishing attack are certainly cause for concern–either because they have indeed fallen victim to a phishing attack or because they’re about to fall victim to one by following the email’s instructions (see text below; click to enlarge).

Certainly, it’s difficult to determine if the email is genuine. After all, its subject line is “Please change your twitter password,” and conventional wisdom is to never click a password-reset link in an email. That said, Twitter users who received it and followed its instructions have regained access to the service after being locked out.

So, if you’ve received such an email, tread carefully.

As of this writing, Twitter has not commented on these reports on its blog or status page, though that doesn’t necessarily mean anything. In any event, I’ve asked the company for an explanation and will update here if and when I receive one.

UPDATE: Twitter just sent me the following comment:

As part of Twitter’s ongoing security efforts, we reset passwords for a small number of accounts that we believe may have been compromised offsite. In one case, a number of accounts posted updates indicative of giving their username and password to untrusted third parties. While we’re still investigating and ensuring that the appropriate parties are notified, we do believe that the steps we’ve taken should ensure user safety. We’ll continue provide updates as warranted at @safety and @spam. We do, as always, encourage our users to read our help pages on what to do if your account is compromised: and how to stay safe on Twitter:

[Image credit: Andrew R.H. Girdwood]