Skip to main content
Part of complete coverage on

Reports: Phishing attack hits Twitter

By John D. Sutter, CNN
Twitter users are encouraged to reset their passwords from
Twitter users are encouraged to reset their passwords from
  • Reports: Phishing scheme hits Twitter this week
  • Bloggers, security expert say users should reset their passwords
  • Phishing attacks lure Web users to fake sites to steal personal info
  • Expert: Attacks increasingly hit social networks because of lack of security
  • Twitter Inc.
  • Internet

(CNN) -- If you're on Twitter, it may be a good idea to change your password today.

The site on Tuesday appeared to have been hit by a phishing attack that could be used to steal a user's sensitive log-in information, according to blogs and news reports.

Twitter said it reset some users' passwords because of the attack, according to a statement published by CNET:

"As part of Twitter's ongoing security efforts, we reset passwords for a small number of accounts that we believe may have been compromised offsite," Twitter's statement says.

In a January blog post, site co-founder Biz Stone noted that some Web sites may be trying to masquerade as in an attempt to steal users' password information.

He encouraged Twitter fans to change their passwords on, and noted that they should be careful to check the site's URL to be sure they hadn't been led to a fake Web site that simply looks like it's Twitter:

"If you receive a direct message or a direct message e-mail notification that redirects to what looks like -- don't sign in. Look closely at the URL because it could be a scam," he said.

One common scam URL, the post notes, looks like this: [Do not visit this link]

If you are directed to that fake site instead of, Stone says not to enter your password. Look at the address bar in your Web browser to tell for sure.

The scope of the most recent phishing attack was unclear Tuesday morning. Bloggers, some of whom have posted photos of their correspondence with Twitter about the scheme, report that fake e-mails and direct messages on Twitter are being passed around to point people to phishing sites.

Online scammers increasingly are targeting social networks since they generally don't have the same kind of security protections in place as e-mail accounts, said Graham Cluley, a senior technology consultant at Sophos, a security company.

"This is the next generation of attacks, really," he said.

Cluley's company released a report on Monday saying that reported phishing schemes on social networks -- those that lure users to fake Web sites to steal their log-in information -- have increased in recent months. Nearly a third of 500 companies surveyed by Sophos reported to have been the victim of a phishing attack via a social network at the end of 2009, which was up from 21 percent that reported an attack in April of last year.

The goal of a phishing scheme is to lure a person to give away his or her password information, and then use that information to get sensitive info from a person's social network, he said.

Social networks allow phishing schemes to spread rapidly, Cluley said, because some people have very large online social networks, and because many people let third-party sites access their Twitter and Facebook accounts to offer additional services.

"There are Web sites out there that can offer you additional Twitter services," he said. "For example, they may offer statistics about how often you're tweeting ... they may try to generate new followers for you. The service needs to somehow be able to log in on your behalf to be able to do some of these things."

Those sites are dangerous, and Cluley said social networkers should not enter their password and user-name information on such sites. Only use third-party services that allow you to log in directly through the social networking hub, like, he said.

The site, for instance, requires users to give away their log-in information in order to share photos on Twitter, he said. A similar site called does not. It lets users log in through Twitter's main site.

He suggested Twitter users go directly to to reset their passwords instead of clicking any links that claim to do so.