Fundamentally dodgy email this though. No company should be asking users to reset their password by including a link to do just that in an email. This screams of phishing and making it officially supported provides more backing for actual phishing attacks.

How can a normal user differentiate between an official twitter email with a link versus a phishing email with a link? They have just removed the ability to differentiate by doing the same thing phishers do!

And for twitter themselves to not be yelling that something is going on from the highest mountain this looks even more suspicious.

I received it too. The problem with changing twitter’s password is that you’ll need to change it also on all those applications that access the account and do not use oAuth: Seesmic Desktop just to name the one I noticed did not work for me this morning before I read the email. It’s a mess, and just entering the new password to the apps doesn’t give immediate access but takes time. Furthermore, some app that keeps trying the old password (it happened to me on Digsby) lock the account again!

Trending cyber attacks means the medium is getting relied on more now

Agree

Did n’t receive it till now?Whether it’s safe to change the passwords?

Does anyone have proof this links back to Twitter? The best phishing attacks are those that trick the user into thinking they’re resetting their password. Does this link definitely go to Twitter?

To clarify: It’s entirely possible this is a fake email, the users have clicked the link, entered the fake info and had their accounts hijacked and then found they couldn’t log in.

We all know what most of Twitter users are like…

stupid twitter doing more and more stupid things. I cant wait to see twitter go down and never come back so that the world does not have to suffer from meaningless twitter related twitter news everyday.

Most say they were locked out and only then noticed the e-mail from Twitter, which led to the Twitter website, and that they regained access after they changed passwords.

twitter?

huh?

When I tried to log in to my Twitter account last night (2-1-2010) I could not.

Something definitely happened last night, and resetting the password today fixed it.

Security and reliability at Twitter is amazing. The site is always going down and now they ask you to reset your password…One of the main reasons I don’t use the service, bests the fact that it just doesn’t make any sense to me.

in the one instance they mention. its unfortunate people even want to increase their followers via unpractical methods.

What can a user do? 99.9% of all users likely use these services for the intended purposes. We put up with having to enter hard to read words.. you need a mobile to get a gmail account..

How do we protect our identity online? Do we need harsher laws for cyber crimes? Would that even matter considering a lot of these crimes originate in places like China or India or other places where our laws don’t reach.

It seems to me that with more and more of our lives being shared online that finding a way to protect users would be priority number 1.

If someone can hack google.. hack twitter.. hack facebook.. how can we protect ourselves?

At first glance, you thought it was a phishing scheme, but tracing the email-headers and comparing it with the official twitter messages in your inbox. It’s the same, therefore legit.

One thing about oAuth, is you can’t forced user not to use it. I for one, use it so many times, not only to connect twitter, but to manage my twitter account. It works perfectly, if you don’t want to hand your precious user/pass to a 3rd party website.

As a safety precaution (Like the ones you did on the last twitter ‘defacing’ attack: http://bit.ly/twitter-hacked-iran-responsible) If you have one almighty password for your email/social-networking account/etc . It’s lucrative to reset it now than being sorry in the end.

I got 3 emails from them saying you should change your pass, and I though it is phishing attack and need to check the mail headers etc.

Anyway it is better to change I think

wow,this happened to me once,no many times actually, i tried signing in but my password changed, so i reset it,it happened again so i reset it again and again
word to the wise don’t make twitter your life,do not take the whole social networking thing seriously because once you lose control, its the END esp since it does not seem safe anymore…oh well…

Phising attacks from India??? China is no:1 in that..

But as far as I am concerned.there are no borders in Web”

Isn’t this the same site that guest writer, Vivek Wadhwa is always mentioning as the model for gov’t technology reform. How often has the California payroll or unemployment system be hit by phishing attaches, mass outages?

I received the e-mail from Twitter a little after midnight EST and changed it only to notice 10 mins later I was locked out AGAIN! I believe there’s an issue with Nutshellmail. Even after revoking access to the 3rd party item, issues still remain. Wonder how many times I’ll get locked out today? Grr…

Maybe the Chinese government did it.

Well, in my opinion, we just need to really contact Twitter on this matter. Whether the phishing attack is real or just a fake to lead to a bigger catastrophe, Twitter is doing the actions to bring this issue to the flat line. If changing passwords will bring things to normal, why not? But don’t you think that emails are the ones used for phishing? Possible, right?

I, and about 50,000 other people, were force-followed by the @THCx account the other day. search.twitter.com shows lots of people very confused about how it showed up on timelines.

I’m very careful about phishing, so I suspect one of the OAuth connections I’ve authorised got paid to make the accounts they have access to follow the account. Reported to Twitter and they are “aware of the problem”.

The first step to protecting your identity online is not assuming twitter will be able to protect your identity online. Same goes for FB and myspace and any other social networking website. It is very simple. If you use the same password on twitter, FB, myspace, gmail, online banking, your laptop, your mobile then you get what you deserve.

What you do after coming to grips with that reality is up to you.

Still locked out. I noticed it last night, and I am still logged in with Chromed Bird (which I had disabled, I prefer Seesmic).

I have no idea why I was told to change my password, I hadn’t done anything that could have been phishing, I’m much too careful when it comes to that. Really annoying that I still can’t log in to my Twitter account eight hours later.

@ceejayoz ,

I too was “force-followed” by THCx.

My only outside connections are:
# Backupify
# Foursquare
# TwitStates

I received one of the notices, and had noticed I was locked out on twhirl. Rather than respond to the email notice, I went to the main Twitter page, and used for forgotten password link. It worked instantly to get me back in. However… I don’t use the “gain thousands of followers instantly” sites, because it’s irrelevant to me whether I have 20 followers or 2,000. It’s more likely that one of the seemingly legitimate applications I’ve tried out sold me down the river along with the other 50,000 people…

Fácil solución, todos a cambiar la contraseña….

Struck me that this might be a ploy for Twitter to get more uniques to their site as their traffic is trending downwards. Just will give them a spike this month, but external appearances are important.

This is the second time this has happened to me, all of a sudden my password doesn’t work. It’s a pain considering I have a number of Twitter accounts & different email accounts associated with them.

sarcasm fail

Goofy

Indeed, I’ve spent a bunch of minutes to analyze if this is not a phishing scan itself. At that time there was nothing in the news about this password problems at Twitter.

sr, this is not a fake email: I received it -after- my account was locked (my password didn’t work). Just be careful on what you click, as some bad guys may try to profit from this to send “real fake” e-mails ;-)

Well, this is an email that ask the user to select a new password, and would a phisher be able to directly change password on a Twitter account? Not until the phisher have control over Twitter’s servers or have the current password.

I don’t know what # Backupify or # TwitStates are, but I JUST signed up for # Foursquare on Sunday night. I was force-followed by THCx and got the phishing email this morning. Foursquare is NOT getting my new password!

So much trouble just to push more penis enlargement pills…

Twitter sucks, and people who use it are deluded with visions of self-importance. Nobody gives a shit what you’re doing every fucking minute.

You’re all twittarded.

Same here, my password just didn’t take?
http://pchackshack.com

=== popurls.com === popular today…

yeah! this story has entered the popular today section on popurls.com…

I have several Twitter accounts, as does my husband. The only two that were locked out this morning are the ones I monitor and post from using Seesmic Desktop. Coincidence? Who knows.

I was locked out of my account once and after inquiring how to get back in they sent instructions on how to re-set my password. However, I don’t believe it had a link in it.

Also, there is a way that a person’s account can be taken over by spammers and the spam messages sent out along with regular tweets. In order to end this you need to also re-set your password.

I have no clue if any of this is pertinent.

I got the phishing email from Twitter, but didn’t click on the link. I went to Twitter to log in and saw that they disabled my password. So, not knowing whether the email was a phishing attack or not, I just clicked the “Forgot my password” link on Twitter’s site, to have another link sent to me to reset my password. Both emails were totally different! The forgot my password email I initiated actually contained my name, whereas the other email saying my account had been attacked did not. I never click on links telling me to reset my password, unless I initiated the reset password request.

Hi S Feather,
I know that @backupify was not the problem. It only affected a few of our users.

Got the phishing email too. Was locked out and took the bait :(
Will now follow the advice from @designinglady . Very sensible. Thank you

Yet you use TechCrunch?

Perhaps this is related to the attack in December? http://kahrn.com/blog/2009/12/twitter-hacked-prognosis/

I think they did it just to bug the spammers. Doesn’t seem to be a slow down of spam though.

I agree 100%. I rec’d it and re-set new password. Funny though, I haven’t been locked out of other apps.

[...] Phishing: Sending tweets to update accounts or visit spoofed sites where the user needs to enter credentials that allows a [...]

[...] TechCrunch | Twitter users asked to reset password after possible phishing attack Globe and Mail | Fraudsters steal carbon permits through phishing [...]

[...] been trying to tackle fake accounts by introducing verified accounts. Spam continues on, and the security issues of Twitter aren’t helping [...]

[...] TechCrunch [...]

[...] Twitter Asks Users To Reset Passwords After Possible Phishing Attack [...]

[...] Phishing: Sending tweets to update accounts or visit spoofed sites where the user needs to enter credentials that allows a [...]

Great post, thanks for the information.

I got this thing this morning!