Twitter Mass Password Reset due to Phishing
Twitter is sending out a large number of e-mails, asking users to reset their passwords. It appears a large number of passwords got compromised in a recent phishing incident (mine included).
When I received the message at first, I considered the e-mail a phishing attempt in itself. But all the links appeared to be "good". If you receive an e-mail like this, I recommend the following procedure:
- delete the e-mail
- go to twitter by entering the link in your browser. Best: use https://www.twitter.com (httpS not http) (hey. I got a link for you to make it easier ;-) https://www.twitter.com
- change your password.
- do not reuse the password, do not use a simple password scheme (like "twitterpassword" and "facebookpassword")
I know it is hard. A lot of people will advice against writing the password down, or using a "password safe" application. But considering the risks, I am tend to advice people to rather write down the passwords or use a password safe application compared to using bad / repeating passwords.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter