Twitter is being blindsided today by a new wave of attacks, this time involving the takeover of the accounts of prominent users. Barack Obama, Britney Spears, CNN’s Rick Sanchez, Fox News, and Facebook’s official accounts are amongst those that have been targeted thus far, with each sending out an obviously fake message ranging from explicit comments to ads for online scams. Here’s what the Fox News account looked like earlier today:
The only way to conceivably execute this type of prank is to obtain the passwords needed to access the accounts being compromised. And, unless all of these famous folks had easy-to-guess passwords, it means something else is afoot. Over the weekend, a phishing scam left many ordinary Twitter users vulnerable, and it’s conceivable that the folks maintaining the impacted celebrity accounts fell for it. But, that’s not necessarily the case.
You may recall Twitterrank, the application a few months ago that some initially thought might be a phishing scam, a claim that its developers quickly refuted. While we’re not blaming Twitterank, there are so many applications out there – lacking any form of secure authentication with Twitter – that there are just lots of different ways that these passwords might have been compromised. An outright scam, a disgruntled employee, or a prank meant to prove a point? Who knows.
It’s all speculation right now, and we’re still waiting for official word from Twitter. But this type of attack is clearly going to be a huge PR nightmare as Twitter tries to lure more celebrity users, and may make users think a bit harder before blindly entering their credentials into third-party websites. That goes for services like Facebook Connect and MySpace ID too.
Update (10:35PT): Twitter has updated its status blog and indicates the situation is under control:
“A number of high-profile Twitter accounts were compromised this morning, and fake/spam updates were sent on their behalf.
We have identified the cause and blocked it. We are working to restore compromised accounts.
As a precaution, it would be prudent to reset your Twitter password and make sure email in your settings is your own.
More details to come.”