Twitter Mass Password Reset due to Phishing

Published: 2010-02-02
Last Updated: 2010-02-02 21:47:04 UTC
by Johannes Ullrich (Version: 1)
8 comment(s)

Twitter is sending out a large number of e-mails, asking users to reset their passwords. It appears a large number of passwords got compromised in a recent phishing incident (mine included).

When I received the message at first, I considered the e-mail a phishing attempt in itself. But all the links appeared to be "good". If you receive an e-mail like this, I recommend the following procedure:

  1. delete the e-mail
  2. go to twitter by entering the link in your browser. Best: use (httpS not http) (hey. I got a link for you to make it easier ;-)
  3. change your password.
  4. do not reuse the password, do not use a simple password scheme (like "twitterpassword" and "facebookpassword")

I know it is hard. A lot of people will advice against writing the password down, or using a "password safe" application. But considering the risks, I am tend to advice people to rather write down the passwords or use a password safe application compared to using bad / repeating passwords.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

8 comment(s)


Thanks for the link. ;-)

While I know that the number of phishing attempts has likely grown, the number that are making it through my spam filters has decreased significantly.
Thanks Johannes. Obviously the phishing particulars were very good in order to catch an expert like yourself. Would you post a technical description of the phish attack?
I don't know which phish I fell for :( (or if I fell for any of them). It may just be that I visited a phishing site while investigating a known phish and as a result showed up as "infected" in Twitter's logs. One reason is that they may have listened to what I wrote a few years back, and looked through their referrer logs if any users loaded for example images from with a referral from the phishing site.

The e-mail I got last night, asking me to reset my password, was authentic. But yes, it would be nice to know what that phish looked like.

Another possible "phishing" exploit are web sites that ask you for twitter credentials to post directly from the site to twitter. I visited one such site yesterday. Have to look at it closer.

Regarding spam filters and phishing: The problem are usually the few good phishing e-mails that make it past the filter.
Slightly off-topic, but why would anyone advice against using a password safe application? As far as I'm concerned, that's the only way to have secure, unique passwords for every website... there is no way anyone can remember a couple dozen of "5rAYa!hE2h#b" passwords. Remembering one of these to authenticate to the password safe is hard enough.

P.S. No, that is not my password :)
I suspect that the problem is using a password safe app that uses insufficient protection. It gives you a false sense of security.
I also use 1Password on my iPhone and my Mac.
The passwords are protected by a strong password (and strong encryption/security), and I usually uses generated passwords. This is way better than weak passwords.

It make it almost impossible to hack my passwords. Hackers need to get access to my phone or my computer. Or use extended charset in their rainbow tables if they get hashes off a website. And they can not use my twitter password to go anywhere else.

A good password safe is the way to go.
Twitter have announced the reason for the password change here:-

A good example of why you should use different passwords for any type of account you setup :)
The correct URL for twitter is uses an invalid security certificate. The certificate is only valid for (Error code: ssl_error_bad_cert_domain)

Diary Archives