By Byron Acohido, USA TODAY
Twitter this morning said it mistakenly prompted more Twitter users than necessary to change their account passwords.
The popular micro-blogging service had intended to compel an undisclosed number of users to make the password change, based on information that the e-mail address and password combination they used to access their accounts had fallen into criminals' hands.
The company sent this e-mail warning to certain users: "Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account."
Marcus Carey, a researcher at security firm Rapid7, says this development appears to be related to the latest escapade of the hacking collective Anonymous. Here's what Carey says appears to have unfolded:
- Monday. Anonymous members publicly post online 28,000 e-mail and password combinations claiming that they could be used to access PayPal accounts. The motivation: to celebrate Guy Fawkes Day, honoring the 17th-century British rebel who's idealized as the mask-wearing anti-hero in the 2006 film V for Vendetta.
- Tuesday. A PayPal spokesman, says there's no evidence any of its data had been breached. The New York Times reports that the 28,000 passwords actually belonged to ZPanel, a free open-source hosting site.
- Wednesday. Twitter, Facebook, Yahoo, Microsoft, Google and AOL cross-reference the 28,000 disclosed e-mail and password combinations against account logins for their respective social networking and web e-mail services. This is standard operating procedure.
- Thursday. Twitter begins compelling certain users to change their passwords. This happens when the user attempts to log-in. The service demands a phone number, email address or Twitter handle. Supplying a correct answer initiates an e-mail to the user requiring a password reset in order to access his or her account.
But Twitter went too far. After the password re-set set off a frenzy of microblogging, the company issued a statement saying it "unintentionally reset passwords of a larger number of accounts, beyond those that we believed to have been compromised. We apologize for any inconvenience or confusion this may have caused."
Twitter spokeswoman Carolyn Penner declined to comment on the possible connection to the 28,000 posted e-mail and password combinations. "We're not providing any more details about the situation beyond the fact that this is a routine part of the process to protect our users," Penner told USA TODAY.
Mandatory resetting of passwords is becoming common practice by the big social networks and web-mail services. It happened last July after Yahoo lost 400,000 account log-ins that were publicly posted, prompting a similar round of cross-referencing and password changes by other services.
That security practice is the unintentional consequence of Web companies years ago adopting the practice of requiring consumers to use an e-mail address and password to access Internet-based accounts. It became common practice for many people to use the same account log-ins for multiple accounts.
"When consumers use the same e-mail and password combinations you have a cascading effect, in terms of exposure, across the Internet," Carey says.
In the cyberunderground , access to legit Twitter accounts has become a hot commodity. Pranksters can pose as their friends or enemies. And profit-minded criminals can impersonate legit users to more easily spread viral Web links.
"Spamming is rampant," Carey says. "There's tons and tons of corrupted links moving across Twitter."
It's a huge advantage for a spammer to be able to Tweet from an account from a legit party who has hundreds or thousands of followers. "You get more bang for the buck from the attackers' standpoint," Carey says.