Twitter Password Resets Linked to Torrent Sites

Twitter has explained in greater detail the reason behind its decision to reset the passwords for some of its users on Tuesday after an external phishing attack. It turns out the problem, which Twitter first described as a “combination of multiple bad acts,” was part of a scam that may have exposed Twitter users who also visit torrent sites requiring login credentials. The incident also highlights, once again, that developing good password management habits is a crucial part of keeping your online identity secure.

Torrent Sites Open For Phishing Season

In a recent post on the Twitter Status blog, the company pointed to an unnamed Website designer as the main culprit behind the recent phishing expeditio

n. For a number of years this designer had been creating Website templates for torrent sites and forums that require new users to create a login ID and password. The designer would then sell these Website templates to third parties who wanted to start their own torrent site of forum.

So the third-parties would set up their torrent sites, cataloging the latest music, film and software downloads, and people would begin signing up to use the service. But unknown to the site administrator, the unnamed designer had created a backdoor into the site allowing the designer to scoop up all the login credentials for the torrent site’s members.

After that, the designer took the login credentials and ran them against third-party sites like Twitter. Since many people use the same login information for multiple Websites and services, the site designer soon had access to a number of Twitter accounts. Even worse, the site designer left some gaping security holes in the design that allowed other hackers to exploit the sites.

One such exploit would prevent users from logging in to the torrent site, and then redirected the user to a different site where they were asked for their login credentials again. This way the hackers could collect login credentials and try to gain access to a user’s Twitter accounts using the same methods as the site designer.

Twitter has not said which torrent sites were victims of this scam, but the microblog is advising all users who are

also members of any torrent site to reset their passwords. Twitter said there was a “high correlation between folks who have used third party forums and download sites and folks who were on our list of possibly affected accounts.” However, Twitter also said not all users who were sent password reset notifications were victims of the torrent scam.

Password Safety

This latest Twitter attack highlights, yet again, why practicing good password habits is so crucial. You likely know the password basics like avoiding common passwords such as ‘123456,’ or ‘password,’ which reportedly led to the RockYou data breach last month. You should also make sure you use a combination of letters and numbers, and the more random these combinations are the better. Your password should also be at least eight characters in length, and make sure they do not include things like a common word, name or part of your e-mail address.

But the problem with the Twitter hack wasn’t so much about password strength as password management. If you’re using one, two, or even three common passwords across all your services then you may be vulnerable to a similar attack. One of the best ways to defend against this is to use a password management program.

If you want something a little more low tech you could also consider writing down all your passwords on a separate piece of paper and keeping it somewhere safe (hint: not underneath your keyboard). A less secure, but more practical, option is to create a text file or spreadsheet listing all your passwords. But if you plan to go this route just make sure you don’t name your file something obvious like ‘passwords,’ ‘secrets’ or ‘keys to the kingdom.’

You can find several password management programs in PC World’s download center, and Macworld has a good list of password managers for OS X users.

Connect with Ian on Twitter (@ianpaul).