Twitter officials are trying to lock down their systems in the wake of a successful attack against at least 33 high profile accounts that were hacked through the social network's support tools.
The breach took place just days after users reported a fast spreading phishing attack that was attempting to steal passwords and other identifiable information. Among the breached high profile accounts was President elect Barack Obama, pop singer Britney Spears, media outlet Fox News and CNN anchor Rick Sanchez, Twitter wrote Monday in a blog posting.
The social network, which allows users to connect to friends and colleagues and post brief messages in real-time, has grown in popularity in recent months. Twitter has gone through a number of growing pains since it launched in 2006. At times the micro-blogging service had consistent down time as a result of system overload. Some estimate Twitter has grown to well over 3 million accounts and the popularity in corporate environments is rising.
Social networking threats:
can widget malware on social networking sites threaten enterprises? Protecting enterprise
networks from the malware on popular social networking sites is a complicated issue. Information
security threats expert John Strand gives advice.
How to implement and enforce a social networking security policy: For a new generation of employees entering the workforce, social networking isn't a luxury, it's a necessity.
MySpace, Facebook ignoring basic principles of security: Social networking websites MySpace and Facebook present a significant security risk to users.
Phishing, identity theft keeps law enforcement, researchers occupied: An expert on cybercrime and online scams, Derek Manky, is one of the members of the Fortiguard research team.
Twitter said the accounts that were compromised have been returned to their owners. The hacker exploited a vulnerability in the support tools used by Twitter staff to help people edit email addresses or reset passwords.
"We considered this a very serious breach of security and immediately took the support tools offline," the company wrote in a statement on its blog. "We'll put them back only when they're safe and secure."
The support team has been dealing with a phishing scheme attempting to send direct messages to users with a link to a malicious website. The site looks like a Twitter login page, but steals account names and passwords of victims who attempt to login. Twitter said it has reset a number of passwords to breached accounts as a result of the scheme.
One of the problems is that many users are ignoring common sense, clicking on links from unknown Twitter followers. Mary Landesman, senior security researcher at Web filtering vendor ScanSafe Inc., said in a statement via email that users must rethink using Twitter and other social networks as a popularity contest. Often people add followers and seek them out without even knowing their identity, Landesman said.
Other experts said users should always sign out of an account not being used and take time to confirm whether a link was sent from a friend or colleague.
"It's a completely avoidable breach of security -- never, ever enter your login credentials from a website accessed via a link received in email, IM or twitter," Landesman said. "While it must be embarrassing for the celebrities who were impacted, it should concern all citizens when the future president of the United States is among the victims."
At one point the Twitter phishing scheme redirected victims to a bogus Facebook login page, according to researchers at TrendLabs. Other social networks, including Facebook and LinkedIn have also been vulnerable to phishing attacks and social engineering schemes in recent months. TrendLabs recently reported finding a number of bogus LinkedIn profiles used to direct users to malicious websites.
"Malicious links contained in these bogus profiles lead browsers through a series of redirections, but ultimately to malware," said TrendLabs' Ivan Macalintal, an advanced threats researcher who discovered the accounts.