Was your Twitter account hacked last night? Automatic password resets were reported by Twitter users across the web last week. I woke up on Thursday morning to this email in my inbox:
A Real Alert or a Phishing Email?
Without my morning coffee to sharpen my wits, I almost clicked the links without any thought. But the countless security tips I’ve researched and written for the Scambook Blog suddenly rushed to mind and stayed my cursor. What if this was a phishing email, using a false warning to steal my password?
Sure, the message looked legit. There were no obvious red flags, like bad English, and the reset links did start with “https://”. Remember, the “s” stands for “secure,” so website URLs that begin with “https://” are less likely to redirect you to a phishing page. When I hovered my mouse over the links, my browser showed me they directed honestly. Sometimes, digital con artists spoof their links — the text in the email body might read “https://twitter.com” but actually point to another website.
The email also addressed me by my real Twitter handle, whereas phishing emails sometimes leave off personal salutations. Here’s the email again, highlighted to point out the features I just mentioned. (Click the image to enlarge.)
Still, hackers are clever and constantly evolving. Before I reset my Twitter password, I had to be sure the email was legitimate. I examined the sender’s information. On Gmail, you can do this by clicking the little triangle icon that says “Show Details.” Other email clients display this information automatically or hide it under a view menu. Explore your email interface until you know where to find it.
More signs pointing to “legit”: as you can see above, the email was mailed-by postmaster.twitter.com and signed-by twitter.com. If you receive an email and the sender info is inconsistent — if it claims to be from twitter.com but it’s been signed-by yahoo.com, that’s a red flag for phishing fraud.
After I observed these points, I felt reassured but I still wasn’t ready to trust this email just yet. I quit my browser, opened a brand new session, then typed https://twitter.com/account/resend_password into the new window. I knew this page was safe and secure because I visited it directly, in a fresh browser session, bypassing the suspicious email links altogether.
Then, I submitted my Twitter handle, and received this second email a few moments later:
My real name, good writing, honest links beginning with https:// — and of course, this was an email I requested instead of one I received out of the blue in the middle of the night. No question that this was legit! Following the guidelines presented in our How to Create a Secure Password video, I reset my Twitter password and moved on with my day.
Twitter Responds to the Incident
So was my Twitter account actually hacked? After I logged in with my new password, I checked for unauthorized Tweets, Direct Messages sent from my account and new Apps installed without my permission. I couldn’t find anything unusual that indicated I’d been hacked. But my feed was full of chatter about the incident. A post by TechCrunch provided answers, noting an announcement from status.twitter.com:
We’re committed to keeping Twitter a safe and open community. As part of that commitment, in instances when we believe an account may have been compromised, we reset the password and send an email letting the account owner know this has happened along with information about creating a new password. This is a routine part of our processes to protect our users.
In this case, we unintentionally reset passwords of a larger number of accounts, beyond those that we believed to have been compromised. We apologize for any inconvenience or confusion this may have caused. [Emphasis added]
In other words, my account wasn’t hacked, but others were. The folks at Twitter just went a little overboard when they reset their users’ passwords.
But this incident was a powerful reminder that no one is truly secure from hacking. Be aware that you’re vulnerable. Don’t publish private personal information on social media sites like Twitter and never use the same password across different accounts. Keep an eye out for suspicious activity at all times.
If you receive an unexpected email from Twitter, Facebook or other services that tell you your account has been compromised, review the message carefully before you take action. Any time you’re asked about your password via email, it’s a red flag. Take precautions to make sure you’re not being fooled.
Wondering if you’ve been hacked on Twitter, Facebook or Gmail and might not know it? Click here to learn the warning signs.