Network Security, Threat Management, Vulnerability Management

Twitter accounts compromised in torrent site scam

Twitter this week reset the passwords of some of its users after discovering malicious file-sharing sites that were set up to steal users' login credentials.

During regular monitoring of its user base for suspicious activity, Twitter noticed a sudden surge in followers for several accounts within the last five days, Del Harvey, Twitter's director of trust and safety, wrote in a blog post Tuesday. After investigating the issue, Twitter discovered that some of the accounts following the suspicious users were compromised by an attacker who stole login credentials from rogue file-sharing “torrent” sites.

For several years, an individual had been setting up torrent sites, as well as forums for torrent site usage, Harvey said. This individual sold these supposedly well-crafted sites and forums to others who wanted to start their own torrent download sites.

What buyers didn't know is that the sites and forums were actually riddled with security exploits and backdoors, which allowed the cybercriminal to gain access to the sites and steal users' login details.

“This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address and password of every person who had signed up,” Harvey wrote.

The cybercriminal was able to use the stolen login information to gain access to third-party sites, such as Twitter, because many individuals used the same password for multiple sites.

“The takeaway from this is that people are continuing to use the same email address and password (or a variant) on multiple sites,” Harvey wrote. “Through our discussions with affected users, we've discovered a high correlation between folks who have used third-party forums and download sites and folks who were on our list of possibly affected accounts.”

Twitter reset the passwords for all accounts that were following the suspicious users, Harvey said. Twitter did not say how many accounts were affected.

This is the first time Twitter has identified this particular attack vector, he added.

The incident should be a warning for users not to use the same password for multiple sites, Jamie Tomasello, abuse operations manager at messaging security firm Cloudmark, told on Wednesday.

Whoever was behind this attack now can also attempt to gain access to user accounts on other sites besides Twitter, Tomasello added.

“I would not be surprised if they were using these same passwords against other social networking sites, banking sites and e-commerce sites,” she said.  

Meanwhile, Randy Abrams, director of technical education at anti-virus vendor ESET, commended Twitter for resetting users' passwords.   

“It really would be prudent for all of the social networking sites to start enforcing a mandatory password change at least once a year, if not more frequently, but that holds true for banks and other financial institutions as well,” Abrams told on Wednesday.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.