The Twitter gods giveth, and the Twitter gods taketh away.
I have to admit, between the presidential debates and the election coverage, I have been pretty much living on Twitter lately. So I must offer kudos to Twitter for surviving Election Night 2012 and 31 million tweets with nary a sign of the Fail Whale.
That’s the good news. The bad news is that Twitter’s been having its share of security problems lately, and it’s responded by shooting itself in its little bird feet.
Last month I wrote about a malware scam that’s being spread via bogus Direct Messages on Twitter. Well, it’s still happening – I got another one of those yesterday. And it seems I am not alone. Earlier this week Twitter sent out an email to an unknown number of users, telling them their accounts had been compromised and they needed to change their passwords.
The problem? It sent out too many emails, some to people whose accounts were not compromised and thus were not expecting it. Per Twitter’s Status Page:
In this case, we unintentionally reset passwords of a larger number of accounts, beyond those that we believed to have been compromised. We apologize for any inconvenience or confusion this may have caused.
Worse, some people whose accounts hadn’t been compromised thought these emails might in fact be bogus, sent by attackers to steal their Twitter logins. So they ignored them.
Now everyone’s confused and asking questions: Was my account hacked? Is that a legit message from Twitter? If I follow that link and change my password, am I really changing my Twitter password or giving hackers in Latvia the keys to my Twitter account? Where are my pants? (OK, that last question was just from me.)
It’s a mishegas, in part because Twitter – unlike Google and Facebook – has yet to offer two-factor authentication to users, though you can tell it to ask for more information (like your email address) when resetting your password. Why doesn’t Twitter offer multi-factor authentication, such as sending a disposable PIN to your smart phone when you log in from an unknown device? Good question.
When asked by TechCrunch, a Twitter spokeshuman responded thusly:
We’ve certainly explored two-factor authentication among other security measures, and we continue to introduce features, such as https, to help users keep their accounts secure. This support article and this blog post offer additional information and tips.
Translation: Either a) we don’t know, or b) we know but we’re not willing to say.
Granted, implementing two factors on Twitter would be a bit trickier than on Facebook or Google, where presumably most people log in using a single genuine identity. Twitter on the other hand, encourages multiple identities. I know of one privacy wonk who has at least six. Tying six identities to one smart phone number makes things a little harder to manage for Twitter, though hardly impossible.
Having an attacker gain access to your Twitter account may not seem like a big deal, and for many people it isn’t. But if you link from Twitter to other accounts, like your blog or email address, that gives the attacker more ways to get to you. If you use the same password to log in to other sites – or use Twitter itself to authenticate you, as many sites do -- it becomes something you need to seriously worry about.
Just ask Wired’s Mat Honan, who found his digital life eviscerated by hackers who simply coveted his @mat Twitter handle, then proceeded to gain access to his Apple and Amazon accounts.
Twitter offers advice on how to keep your identity safe here. If you’re unsure about whether you’ve been compromised, the best advice I can give is to log in to Twitter directly and change your password. Do it right now, I’ll wait. And keep your pants handy; you never know when you might need them.
Got a question about social media? TY4NS blogger Dan Tynan may have the answer (and if not, he’ll make something up). Visit his snarky, occasionally NSFW blog eSarcasm or follow him on Twitter: @tynanwrites. For the latest IT news, analysis and how-to’s, follow ITworld on Twitter and Facebook.
Now read this: