This morning, Twitter started locking out a subset of users of their accounts, sending them e-mails asking them to change their passwords in order to regain access to the service. The e-mail said those measures were taken due to concerns that their accounts may have been compromised in a phishing attack, and hinted at a third-party service being at fault.
We asked Twitter for more information about the attack, and this is the response that they just gave us:
As part of Twitter’s ongoing security efforts, we reset passwords for a small number of accounts that we believe may have been compromised offsite. In one case, a number of accounts posted updates indicative of giving their username and password to untrusted third parties. While we’re still investigating and ensuring that the appropriate parties are notified, we do believe that the steps we’ve taken should ensure user safety.
Asked how many users were affected, Twitter declined to share details but said the number is ‘very small’. Twitter also said its response is for issues seen from last Wednesday on.
Update: asked if Nutshellmail has something to do with this, which has been suggested on other blogs, Twitter says it has not. The company instead referred to multiple “get followers fast” schemes causing trouble for some users.
Twitter promises to continue to provide updates and encourages users to read the help pages on what to do if their account is compromised.
Note that Twitter has yet to communicate the whole ordeal on its company blog and/or status website, although the account @safety acknowledges the attack and refers to its security measures as a ‘precautionary step’.
We’ll keep you posted as we try and obtain more information about these attacks.