Twitter mistakenly reset the passwords of "a large number" of users on Wednesday, as it responded to what appears to have been a phishing attack on the site.
In an official statement, Twitter says: "We're committed to keeping Twitter a safe and open community. As part of that commitment, in instances when we believe an account may have been compromised, we reset the password and send an e-mail letting the account owner know this has happened, along with information about creating a new password. This is a routine part of our processes to protect our users.
"In this case, we unintentionally reset passwords of a larger number of accounts, beyond those that we believed to have been compromised. We apologise for any inconvenience or confusion this may have caused."
While Twitter has said the site's security was not breached, a number of users reported their accounts had indeed been compromised and were seen to be sending tweets with links to malware sites. Even technology news site, TechCrunch, was among those affected.
Twitter has not said how many accounts were compromised, and how many passwords were mistakenly reset.
The password-reset e-mails sent out by Twitter caused some confusion for those users whose accounts had actually not been compromised. The e-mail contained a link for users to follow to change their passwords - something often seen in phishing e-mails. As a result, many users have reportedly been ignoring the e-mail and not resetting their passwords.
Twitter has been criticised for not implementing a two-factor authentication for its site. Responding to a query from TechCrunch, Twitter only said: "We've certainly explored two-factor authentication among other security measures, and we continue to introduce features, such as https, to help users keep their accounts secure."
Recently, following a spate of Twitter handle "hijackings" it was also noted that Twitter was an easier target than other social sites such as YouTube or Facebook, and hackers were exploiting this vulnerability.
While most sites limit the number of login attempts on a per-account basis, Twitter only prevents a large number of login attempts from the same IP address, before flagging or disabling the account. This essentially allows hackers to try different passwords as many times as they want, provided the attempts appear to be coming from different computers.
Share