Just days after popular social networking tool Twitter was hit was a phishing scam, the company is now trying to clean up a mess surrounding a separate hacking attack.
Over the weekend, some Twitter users received scam tweets, or direct messages, to visit certain sites or blogs. The URL in the message redirected users to a bogus login page in an attempt to steal login credentials for a phishing scheme. Monday, thing got worse as Twitter officials revealed several high profile accounts, such as those of Britney Spears and Barack Obama were hacked.
"It appears someone gained access to the tools Twitter uses to control its millions of accounts," explained Graham Cluley, a senior technology consultant at security firm Sophos PLC. "Internal tools used by the tech support team were compromised. It's not clear if it was an inside job, or outside hacker. Twitter does say they think it was an individual."
The hack, according to Cluley, is much more serious than the earlier phishing attack because it was compromise of the system that potentially exposed all Twitter users to the following dangers.
Fraudalent password use If you gain access to someone's Twitter account, you might be able to gain access to their password, said Cluley.
"We know that 41 percent of people admit to using the same password on every web site and account that they access," he said.
Hackers, while gaining access to something seemingly simply like a username and password to one account may very well be able to use the information to gain access to more important information, such as your bank account.
Malware Infection Twitter officials said 33 accounts had been attacked in the latest hack, including high-profile users such as Britney Spears and Barack Obama. The hackers used their temporary access to send offensive messages. CNN journalist Rick Sanchez found his account had been hacked with a message that read "i am high on crack right now might not be coming to work today."
The damage could have been much worse, said Cluley, if the hacker had decided to take a different approach.
"Imagine if instead, in the case of Britney Spears account for example, that the hacker had posted a link that said: 'Here's my new video. Click on this link.' Imagine how many people would have clicked on that and it could have pointed to malware? And Barack Obama is one of the most followed people on Twitter. If he said: 'I've just made a new speech. Check it out.' a lot of people would click on that link and get infected."
Identity theft Much like with Facebook and other Web 2.0 tools, it is always possible people are sharing too much information, said Cluley, which could be useful for the purpose of identity theft or other illegal activity.
"Imagine you have fraudulent access to an account and you have ex you are stalking? There may be information up there you don't want people to have."
Cluley said ultimately this news begs the question of why weren't Twitter systems more secure and what are the implications for the company.
"Some people are saying this ruins Twitter," said Cluley. "Twitter had been looking for a business model, a way to make money, and now that is no longer viable, according to some criticism. But I would say if that were the case, then e-mail and web sites would be no longer viable either. People are still going to carry on using Twitter. Twitter is becoming an enormous success story. This really is the first big headache they've had. But it's an appalling start of the year for them on the security side."
This story, "3 Ways a Twitter Hack Can Hurt You" was originally published by CSO.