Twitter password breach shows cascading exposure for unwary consumers

Twitter this morning said it mistakenly prompted more Twitter users than necessary to change their account passwords.

The popular micro-blogging service had intended to compel an undisclosed number of users to make the password change, based on information that the e-mail address and password combination they used to access their accounts had fallen into criminals’ hands.

The company sent this e-mail warning to certain users: “Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We’ve reset your password to prevent others from accessing your account.”


Marcus Carey, a researcher at security firm Rapid7, says this development appears to be related to the latest escapade of the hacking collective Anonymous. Here’s what Carey says appears to have unfolded:

Monday. Anonymous members publicly post online 28,000 e-mail and password combination claiming that they could be used to access PayPal accounts. The motivation: to celebrate Guy Fawkes Day, honoring the 17th-century British rebel who’s idealized as the mask-wearing anti-hero in the 2006 film “V for Vendetta.”

Tuesday. A PayPal spokesman, says there’s no evidence any of its data had been breached. The New York Times reports that the 28,000 passwords actually belonged to ZPanel, a free open source hosting site.

Wednesday. Twitter, Facebook, Yahoo, Microsoft, Google and AOL cross reference the 28,000 disclosed e-mail and password combinations against account logins for their respective social networking and web e-mail services. This is standard operating procedure.

Thursday. Twitter begins compelling certain users to change their passwords. This happens when the user attempts to log-in. The service demands a phone number, email address or Twitter handle. Supplying a correct answer initiates an e-mail to the user requiring a password reset in order to access his or her account.

But Twitter went too far. After the password re-set set off a frenzy of microblogging, the company issued a statement saying it “unintentionally reset passwords of a larger number of accounts, beyond those that we believed to have been compromised. We apologize for any inconvenience or confusion this may have caused.”

Twitter spokewoman Carolyn Penner declined to comment on the possible connection to the 28,000 posted e-mail and password combinations. “We’re not providing any more details about the situation beyond the fact that this is a routine part of the process to protect our users,” Penner told USA TODAY.

Mandatory resetting of passwords is becoming common practice by the big social networks and web-mail services. It happened last July after Yahoo lost 400,000 account log-ins that were publicly posted, prompting a similar round of cross-referencing and password changes by other services.

That security practice is the unintentional consequence of web companies years ago adopting the practice of requiring consumers to use an e-mail address and password to access Internet-based accounts. It became common practice for many people to use the same account log-ins for multiple accounts.


“People tend to remain blissfully ignorant of divulging too much information on social media sites until it’s too late,” says Fred Touchette, security analyst at messaging security firm AppRiver. “ The fact is that information shared on such sites is public and for the taking.

Carey adds that when consumers use the same e-mail and password combinations “you have a cascading effect, in terms of exposure, across the Internet.”

In the cyberunderground , access to legit Twitter accounts has become a hot commodity. Pranksters can pose as their friends or enemies. And profit-minded criminals can impersonate legit users to more easily spread viral web links.

“Another issue with social media sites is the chance to add yet another vector for allowing malware onto the company network,” Touchette says. “Given the popularity of social networking sites, the malware authors spared no time in moving in on these sites as a way to proliferate their malicious payloads.”


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone