"You may not care very much if your credentials on Trapster have been compromised and may think that not too much harm can come from that," said Graham Cluley, a senior technology consultant with U.K.-based Sophos, in a post Thursday to the security company's blog. "But what if you use the same e-mail address/password combination on other Web sites such as your Twitter account, or Web e-mail address?"
Today, the head of Twitter's Trust and Safety team told Trapster users to change their passwords pronto. "Don't use the same password on multiple sites!" said Del Harvey in a tweet at 1:30 p.m. Eastern.
Some of the usernames and passwords obtained last month in the Gawker hack were quickly used to commandeer Twitter accounts that had been protected by the same passwords. The Twitter accounts were then used to launch a spam campaign on the micro-blogging service.
Another security professional said everyone should simply assume that their Internet passwords will be compromised at some point.
"People really should be changing their passwords twice a year," said Andrew Storms, the director of security operations for nCircle Security, in an instant message interview. "Not because someone could have compromised it, but because someone has compromised it. Maybe we should all just assume all public site passwords will be compromised and accept it as a new fact of life."
Many companies require workers to change their e-mail passwords on a regular basis; Storms argued that the tactic makes sense for everyone.
"We usually get push back about password changes and the answer is typically, 'But it could be compromised,'" he said. "Now we are getting more and more evidence that it has been compromised."
Trapster said it has rewritten the service's code to prevent similar attacks in the future, and has "implement[ed] additional security measures to further protect your data." The company did not spell out what those measures were, however.