Twitter Blames Phishing Attacks on Torrent Sites with Security Holes and Secret Backdoors

Yesterday in the morning, we reported that Twitter asked many of its users to reset their passwords in order to regain access to their accounts due to a possible phishing attack. Later in the afternoon, the micro-blogging website released a statement through the press, in which they explained that only a small number of accounts were compromised in some kind of phishing attack. Their explanation was a bit too simple and left a lot of questions.

Last night, Twitter finally addressed its users and the general public on its Twitter Status Blog, in a post titled “Reason #4132 for Changing Your Password.” In it, Twitter Trust and Safety Director Del Harvey explains what really happened and the reason for the password change notifications.

Here’s what happened, as written by Harvey:

“It appears that for a number of years, a person has been creating torrent sites that require a login and password as well as creating forums set up for torrent site usage and then selling these purportedly well-crafted sites and forums to other people innocently looking to start a download site of their very own.  However, these sites came with a little extra — security exploits and backdoors throughout the system.  This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up.  Additional exploits to gain admin root on forums that weren’t created by this person also appear to have been utilized; in some instances, the exploit involved redirecting attempts to access the forums to another site that would request log-in information.  This information was then used to attempt to gain access to third party sites like Twitter.”

He goes on to say that not all the torrents sites involved have been identified, and that it’s very unlikely that they will identify them. As a precautionary rule, he advises current torrent site/forum members to change their password as soon as possible. He also suggests everyone to use different passwords for all the different online services you become a member of.