Thursday, February 11, 2010

HubSpot's Twitter Grader being used to push Twitter spam?

After a surprising tweet - from myself - I'm wondering whether I've made a mistake in using Twitter Grader to research Twitter users.

About ten days ago I was one of the bloggers who reported a force Twitter password reset. It sparked suggestions that Twitter was under attack. This could be a new hack? Has Grader been hacked? Or is there a connection?

Twitter's official response was one that suggested people shouldn't be using the same password and email combination across the net and problems with Torrent sites and that bad habit was the reason for the reset. That didn't sit right with me because a) I don't torrent and b) I had a unique password/email combination. The hugely respected Tamar Weinberg also questioned the response.

One of the odd twists of the password reset saga was that my account was never used for a tweet or a direct message that I didn't write.

Until today. Today a Grader client was used to promote an attempted viral video.

I am certain I didn't tweet this:



The big green arrow points to the client I don't use. It's also worth noting that HubSpot founder and Grader code guru Dharmesh Shah tweeted the exact same thing.

So; what's going on? I did change my password when Twitter forced me to and I didn't use the same one as last time.

I recall I did log into Twitter Grader and, hmmm, this may have been before oauth. It's possible it was one of the early sites I trusted with my password. That might explain why I seem to bet tweeting for them.

I did change my password, though.

Please note that I did tweet Dash to ask if he might have pressed the wrong button and perhaps tweeted for everyone instead of himself. He's had no time to write a response. I can see how a mistake like that could happen. It does go show the power that sites like Twitter Grader could bring to bare if they wanted too.

I can also see the site being hacked - and its database being used to push spam. Again, though, I'm struggling to understand how a site without OAuth access (unless it OAuths under a different name) could tweet for me after a password change.


It may also worth keeping in mind that although my account wasn't used for any odd tweets - I was following @THXc - when I'm sure I didn't take that decision.

I do want to say that I don't know the people from HubSpot, have recommended their video broadcast and do respect what they've done with inbound marketing. I'd like to be on good terms with them.

So; is there a connection between HubSpot's Twitter Grader and the forced password reset? Or are the two events unrelated?

What's certain is that I've just tweeted something, via Grader, that I shouldn't have.

I'm not the only one. A quick search shows that hundreds of other sites have tweeted the same thing; all via Grader.



The tweet in question reads;
Biz Stone Promoting Twitter in 2006 @ http://seonix.org/2010/02/11/biz-stone-promoting-twitter-in-2006/ #funny #crazy #twitter #1337


Update: Grader confirmed as hacked.

blog comments powered by Disqus