Hundreds of thousands of Twitter accounts appear to have been compromised by hackers, who have spread spam promoting an Acai Berry diet.
Typical spam messages included:
I lost 9lbs using acai! RT This! [link]
Lost 10lbs using acai berry! RT This! [link]
The messages appeared so quickly that initial reports suggested that simply visiting the webpage linked to in the messages might automatically post the message from your own Twitter account, however the truth may instead be connected to a high profile password hack that came to light on a different website over the weekend.
According to Del Harvey, Twitter's director of trust and safety, the messages appear to have been posted from accounts where users were using the same password on both Twitter and the recent Gawker website hack. (Note that their are many websites in the Gawker network, including Lifehacker, Gizmodo, etc).
Got a Gawker acct that shares a PW w/your Twitter acct? Change your Twitter PW. A current attack appears to be due to the Gawker compromise.—
Del Harvey (@delbius) December 13, 2010
Clicking on the links (which appear to use domain names called "acainews" but could easily use other names in their links too) being spread via Twitter takes you to an advertorial page promoting the so-called miracle diet.
Which, in turn, directs users to a page selling a diet solution which claims to use acai berries as an ingredient:
The key issue here is that too many users (perhaps as many as a third) are still using the same password for every website they access.
Not enough computer users have woken up to the danger of using the same password on different websites. Doing that means that if one site gets hacked (as in the Gawker case) then you might also be handing over the keys to other websites.
Once one password has been compromised, it's only a matter of time before the fraudsters will be able to gain access to your other accounts and steal information for financial gain.
Furthermore, it's important that users don't use a word from the dictionary as their password. It's easy to understand why computer users pick dictionary words as they're much easier to remember, but as I explain in this video a good trick is to pick a sentence and just use the first letter of every word to make up your password.
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
Password security is becoming more important than ever. Make sure that you're taking the issue seriously, or suffer the consequences.Follow @gcluley