Twitter foiled the plan as part of its ongoing monitoring for odd activity. Twitter noticed a sudden surge in followers for a couple of accounts in the last five days. When Twitter technicians started digging, they discovered a plot that compelled immediate action.

"Torrent sites aren't exactly new; however, this is one of the first times that we've seen an attack that came from this vector," said Del Harvey, director of trust and safety at Twitter. "It appears that for a number of years, a person has been creating torrent sites that require a login and password as well as creating forums set up for torrent site usage and then selling these purportedly well-crafted sites and forums to other people innocently looking to start a download site of their very own."

A Patient Cybercriminal

But Harvey said these sites came with a nefarious bonus, of sorts, in the form of security exploits and backdoors throughout the system. This patient cybercriminal pushed out the torrents, waited for the forums and sites to get popular, and then used those exploits to get access to the username, e-mail address, and password of every person who signed up.

"Additional exploits to gain admin root on forums that weren't created by this person also appear to have been utilized," Harvey said. "In some instances, the exploit involved redirecting attempts to access the forums to another site that would request log-in information. This information was then used to attempt to gain access to third-party sites like Twitter."

Twitter has yet to identify all the forums involved. In fact, Harvey admitted, it's not likely that Twitter will be able to, since the micro-blogging service doesn't have any connection with them. However, Harvey offered a word of wisdom to Twitter members who have signed up for a torrent forum or torrent site built by a third party: Change your password.

Lessons Learned

The takeaway from the latest social-network attack is that people keep using the same username and password, or some variant, on multiple sites. Twitter's discussions with affected users reveal a high correlation between folks who have used third-party forums and download sites and folks who were on Twitter's list of possibly affected accounts.

"While not all users who were sent a password-reset request fall into this category, we felt that it was important to put this knowledge out there so that users would know of the possibility of compromise of their data by a third party unrelated to their Twitter account," Harvey said. "We strongly suggest that you use different passwords for each service you sign up for."

Although he doesn't know how many people were affected, it sounds like Twitter sent warnings to a fair number of users, advising them to check their security and change their passwords, said Graham Cluley, a senior security analyst at Sophos. He concurs with Harvey's assessment of the root issue.

"The problem is that too many people use the same password for multiple web sites," Cluley said. "You should not only choose non-dictionary, hard-to-crack, passwords to secure your web accounts, but you should also choose different passwords for different sites."
 

Anonymous:

Anonymous: