Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now

Tipsy Twitter apologises for password reset frenzy, but a real hack sparked it

09 Nov 2012 0 Security threats, Social networks, Twitter
Twitter passwords reset

Post navigation

Previous: Did you buy a Microsoft Surface? Here come the first critical security patches
Next: HR departments at risk of malware infection after unemployment benefits email spammed out
by Lisa Vaas

Drunken bird. Image from ShutterstockTwitter has apologised for getting a little tipsy with account-locking gusto after having reset more passwords than it intended on Thursday.

The company won’t say how many users it “unintentionally” locked out of accounts and how many Twitterati received its subsequent email telling them to create a new password.

Here’s the apology:

"We’re committed to keeping Twitter a safe and open community. As part of that commitment, in instances when we believe an account may have been compromised, we reset the password and send an email letting the account owner know this has happened along with information about creating a new password. This is a routine part of our processes to protect our users."

"In this case, we unintentionally reset passwords of a larger number of accounts, beyond those that we believed to have been compromised. We apologize for any inconvenience or confusion this may have caused."

Message on Twitter's blog

Among the shuttered was TechCrunch. Unintentional closures aside, theirs was only one of many stories relating to an authentic hack behind Twitter’s reset snafu.

As Natasha Lomas describes it, TechCrunch’s account was hijacked by somebody who posted a work-from-home scam on its feed. (The site has since regained control of its account.)

Tweet from hacked TechCrunch account

And as has been widely reported, other Twitter account takeovers included those who comment on Chinese affairs.

For example, The Register noted takeovers of Hong Kong university’s China Media Project, which monitors censorship in the PRC, as well as the feed from WSJ reporter and USC Professor Mei Fong.

For his part, Patrick Chovanec, a professor at Tsinghua University in Beijing, tweeted that somebody broke in and tried to change his password.

Wow, my Twitter account just got hacked. Party Congresses are such fun.

— Patrick Chovanec (@prchovanec) November 8, 2012

He was logged in, however, and fended off the intruder.

Some are interpreting it as ipso facto Chinese censorship, with headlines such as “Cyber War: China Hacks Into Twitter and Censors it Ahead of Chinese Communist Election”.

But as others have pointed out, the Red Threat perception may amount to paranoia.

Such wariness is understandable, given that the Communist Party is currently holding its 18th National Congress.

But that’s circumstantial evidence. Tracing a Twitter hack is extremely difficult, after all, and some of those who tweeted about having their accounts hijacked admitted that they couldn’t really tell who the culprit was.

Twitter, in its email to those whose accounts were shuttered, alluded only vaguely to the compromise, saying it may have come from a “website or service not associated with Twitter.”

In its apology, Twitter included a link to its list of tips for safe tweeting, including:

  • Use a strong password. Here’s Sophos’s Graham Cluley on making a unique and hard-to-guess password. If you don’t want to juggle a basketful of unique and hard-to-guess passwords, use a password generator to cook one up.
  • Watch out for suspicious links, and always make sure you’re on Twitter.com before you enter your login information.
  • Don’t give your username and password out to untrusted third-parties, especially those promising to get you followers or make you money.
  • Make sure your computer and operating system is up-to-date with the most recent patches, upgrades, and anti-virus software.


Drunken bird image from Shutterstock.

  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Firewall Home Edition

Boost your home network security.

Sophos Scan & Clean

Free second-opinion scanner for PCs.

Sophos Cloud Optix

Monitor 25 cloud assets for free.

Post navigation

Previous: Did you buy a Microsoft Surface? Here come the first critical security patches
Next: HR departments at risk of malware infection after unemployment benefits email spammed out

What do you think? Cancel reply

Recommended reads

Jan06
by Paul Ducklin
7

RSA crypto cracked? Or perhaps not!

Nov09
by Paul Ducklin
2

Exchange 0-days fixed (at last) – plus 4 brand new Patch Tuesday 0-days!

Jan17
by Paul Ducklin
10

Serious Security: Unravelling the LifeLock “hacked passwords” story

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2023 Sophos Ltd. All rights reserved. Powered by WordPress VIP