Wednesday, February 03, 2010

Twitter changed my password - not sure I agree with the official response

Image representing Twitter as depicted in Crun...Image via CrunchBase

My post yesterday about Twitter changing my password was used as a reference by some blogging powering houses like Mashable and TechCrunch. Woot!

Twitter's now said more about the reasons behind the change;
“It appears that for a number of years, a person has been creating torrent sites that require a login and password as well as creating forums set up for torrent site usage and then selling these purportedly well-crafted sites and forums to other people innocently looking to start a download site of their very own. However, these sites came with a little extra — security exploits and backdoors throughout the system. This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up. Additional exploits to gain admin root on forums that weren’t created by this person also appear to have been utilized; in some instances, the exploit involved redirecting attempts to access the forums to another site that would request log-in information. This information was then used to attempt to gain access to third party sites like Twitter. We haven’t identified all of the forums involved (nor is it likely that we’ll be able to, since we don’t have any connection with them), but as a general rule, if you’ve signed up for a torrent forum or torrent site built by a third party, you should probably change your password there.”

Over at Mashable, Stan Schroeder notes, "Well, folks, I guess it all boils down to the same old advice: never use the same email/password combination on multiple sites."

He's right. As I said in my original post - I'm a cautious chap. My email/password combination to Twitter was unique. I don't even use torrent sites.

So why was my password changed?

It might well be the case that my account was a false positive. Twitter thought "better safe than sorry" and made the switch. However, I was following @THXc - and I don't remember doing that. I'm not saying I didn't do it. I don't remember doing so and I'd surprise myself for following @THXc, not the sort of account I'd follow.

I still think there's a little digging to do here.

blog comments powered by Disqus