Thousands of Twitter users are seeing unexpected messsages from hacked online friends promoting a weight loss supplement that will, allegedly, "get the beach body you've always wanted".
Get the beach body you've always wanted, now you can with this weight loss supplement [LINK]
The messages link to what pretends to be a news website, but is really designed to promote an Acai Berry "miracle diet" marketed as "Power Slim". The product claims to have been seen in the pages of Women's Health, Elle, Marie Claire, Oprah, Cosmopolitan and other magazines.
If the miracle diet pills are doing so well at getting media coverage, it seems strange to me that it also has to be promoted through spam via compromised Twitter accounts - but there you go.
It's currently unclear how the Twitter accounts have been hacked. It could be that the users' passwords have been compromised, similar to another Acai Berry spam campaign we saw on Twitter at the end of last year following the Gawker password breach.
Too many users (perhaps as many as a third) are still using the same password for every website they access.
If your account on Twitter has been compromised, make sure you change your password to a non-dictionary word - and be sure to also change any other online accounts where you might be using the same password. Far too many people use the same passwords on multiple sites, which obviously increases your chances of becoming hacked.
Not sure how to choose a password that's memorable but also hard for the hackers to guess? Watch this video:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
Update: Del Harvey, who heads up Twitter's Safety team, tells me that it appears the compromised accounts may be ones which recently had their passwords phished in ongoing attacks.
@gcluley All signs point to these accts being tied to previous phishing rounds, btw -- the "is this blog about you?!" type. Resetting, etc.—
Del Harvey (@delbius) July 27, 2011
Aside from changing your passwords, it would also make sense to scan your computer with an up-to-date anti-virus and check that you have the latest security patches in place.
If you want to be kept up-to-date on the latest security threats on Twitter and elsewhere on the net, follow me on Twitter.
Follow @gcluley
![Have your say - LulzSec: helpful, harmless or hideous? [VOTE NOW]](http://sophosnews.files.wordpress.com/2013/05/lulzsec-poll-thumb.jpg?w=75&h=75&crop=1)
![Password security infomerical leaves Ellen DeGeneres in disbelief.. and it will you too [VIDEO]](http://sophosnews.files.wordpress.com/2013/04/ellen-thumb.jpg?w=75&h=75&crop=1)
![Can multiple moving cursors really hide your password from spyware and peepers? [VIDEO]](http://sophosnews.files.wordpress.com/2013/03/cursors-thumb.jpg?w=75&h=75&crop=1)
![Hacked TV channels broadcast zombie apocalypse emergency alert [VIDEO]](http://sophosnews.files.wordpress.com/2013/02/zombie-thumb.jpg?w=75&h=75&crop=1)
useless article without info about how it happened.
Sorry you think the article is useless. The intention is to warn people about it, and tell them how to better defend their accounts.
We can't tell at the moment how the hack occurred.
We were being warned, maybe?
I am sure this will be followed up with more information on the possible ways the accounts were compromised.
Regarding the passwords strength I'll suggest a look at https://www.grc.com/haystack.htm
And you can always use Lastpass to manage all passwords.
The advice from Sophos on passwords is years out of date -
use TWP (three word phrases - or four even) e.g. "purple glazed clouds" with _ for spaces if you have to - these are actually more secure and less likely to be written down (and thus compromise the whole thing) than that daft old fashioned example from Sophos...
Don't forget that modern brute force tools use dictionary words as tokens, so "purple glazed clouds", nonsensical or not, is all of 3 tokens long. Besides that, a passphrase is only as good as the person who holds it... none, if the user gets phished.