November 09, 2012, 5:50 PM — The Twitter gods giveth, and the Twitter gods taketh away.
I have to admit, between the presidential debates and the election coverage, I have been pretty much living on Twitter lately. So I must offer kudos to Twitter for surviving Election Night 2012 and 31 million tweets with nary a sign of the Fail Whale.
That’s the good news. The bad news is that Twitter’s been having its share of security problems lately, and it’s responded by shooting itself in its little bird feet.
Last month I wrote about a malware scam that’s being spread via bogus Direct Messages on Twitter. Well, it’s still happening – I got another one of those yesterday. And it seems I am not alone. Earlier this week Twitter sent out an email to an unknown number of users, telling them their accounts had been compromised and they needed to change their passwords.
The problem? It sent out too many emails, some to people whose accounts were not compromised and thus were not expecting it. Per Twitter’s Status Page:
In this case, we unintentionally reset passwords of a larger number of accounts, beyond those that we believed to have been compromised. We apologize for any inconvenience or confusion this may have caused.
Worse, some people whose accounts hadn’t been compromised thought these emails might in fact be bogus, sent by attackers to steal their Twitter logins. So they ignored them.
Now everyone’s confused and asking questions: Was my account hacked? Is that a legit message from Twitter? If I follow that link and change my password, am I really changing my Twitter password or giving hackers in Latvia the keys to my Twitter account? Where are my pants? (OK, that last question was just from me.)
It’s a mishegas, in part because Twitter – unlike Google and Facebook – has yet to offer two-factor authentication to users, though you can tell it to ask for more information (like your email address) when resetting your password. Why doesn’t Twitter offer multi-factor authentication, such as sending a disposable PIN to your smart phone when you log in from an unknown device? Good question.
When asked by TechCrunch, a Twitter spokeshuman responded thusly: