Official Twitter feeds belonging to Barack Obama's campaign, Fox News and Britney Spears were hijacked to send out fake messages on Monday, two days after a password-stealing phishing attack targeted the microblogging service.
"A number of high-profile Twitter accounts were compromised this morning, and fake/spam updates were sent on their behalf," the company acknowledged on its website Monday. "We have identified the cause and blocked it. We are working to restore compromised accounts."
A fake message sent to followers of the Fox News Twitter feed announced that Fox host Bill O'Reilly "is gay," while a message from Britney Spears' feed made lewd comments about the singer. A tweet sent out from the Barack Obama account asked users to click on a link to take a survey about Obama and be eligible to win $500 in gasoline.
Though the fake tweets were decidedly unsubtle, the apparent compromise of the hugely popular micro blogging service could have more serious implications. Users increasingly rely on feeds from news sites and other trusted sources, and a more subtle fake Twitter message sent out from a compromised account could potentially wreak some havoc.
The flock of fake tweets followed a weekend phishing attack designed to steal Twitter passwords. It's not yet clear whether the two events are connected, though the company's warning on Monday hinted at a more widespread attack than just a handful of high-profile accounts. "As a precaution, it would be prudent to reset your Twitter password and make sure email in your settings is your own," the company wrote.
The phishing scam went after Twitterers set up to receive e-mail notification whenever they're sent a private direct message -- messages that generally come from trusted friends and followers. In this case, the e-mail notification urged them to visit a website.
The message included a link to what appeared to be the Twitter log-in page, but was actually a scam site designed to grab a visitor's Twitter username and password when he or she logs in. The malicious website, twitter.access-logins.com, is registered in China.
Many people unwisely use the same username and password for numerous internet services, including their online banking accounts, so someone who falls for the phishing scam and enters his credentials in the fake Twitter log-in page could find that a scammer has hijacked his other accounts as well.
UPDATE: Twitter posted an update to its blog announcing that its service was hacked in an attack that was unrelated to the phishing scam. According to the company, 33 Twitter accounts were hacked -- including Barack Obama's account. An attacker hacked into some tools that Twitter's support team uses to help account holders and gained access to the Twitter accounts of Obama and others. Twitter has taken the tools offline until it's able to secure them.
Twitter has not responded to a request for comment.
UPDATE II: Twitter co-founder Biz Stone got back to me late this afternoon and explained that the hacker got into the tool Monday morning by using a dictionary attack to guess the password of one of his support team employees. He didn't know what the employee's password had been but said they took the tool offline until they could shore up their internal security.
With regard to the separate phishing attacks that occurred over the weekend (there were two of them), he said his engineers were able to identify every Twitter user who followed links to the fake site and gave out their credentials. The company has reset the passwords for those users. Stone didn't have any details to explain how the engineers identified those users.
