No, I Don’t Want to Tell You About the Fastest Way to Lose Body Fat in Two Weeks
On Sunday afternoon, someone logged into my Twitter account and posted a link to a gross weight-loss-pill site. I looked over at my page a few minutes later, and saw a bunch of messages warning me that it looked like my account had been hacked. I tweeted about it, got some helpful and sympathetic replies, and quickly changed my password.
I was able to pretty easily reset my password using Twitter’s helpful “My account was hacked or compromised” form. So far, I don’t see evidence that anything else was messed with. But while I was in the settings, I removed support for some 109 different apps I’d given my Twitter credentials, just in case.
(That included a bunch of things that I rarely use — old Twitter clients like Echofon and Twidroyd — or that have been shut down since I signed up — like Brizzly and Ditto and Summify — so it was probably a good exercise, anyway. For what it’s worth, it didn’t seem like Twitter proactively blasted out to these apps that my password had been changed or compromised; I was able to keep using my TweetDeck session until I myself quit and relaunched.)
Way more serious “I’ve been hacked” stories are out there, but in case it’s helpful to others, let me quickly say what happened to me.
It seems that I fell for a stupid, low-grade phishing prank. The first thing I saw when I glanced at my phone, bleary-eyed in bed on Sunday morning, was a direct message from a friend. It said “FYI this profile on twitter [LINK] is spreading nasty blogs around about you.”
Yikes, that was a ticket to the heart of this vain tech blogger.
I don’t like to think I’m particularly gullible or susceptible to phishing scams, but I sure was. When I clicked through from my phone to a page that asked me to log in to Twitter, I entered my credentials and was taken to a page that said the supposed nastyblogger account was deleted.
Hours later, of course — when I was fully awake and using a full-sized monitor, and had realized my account had been compromised — I saw the Web page I’d typed my Twitter password into was “http://itwtier.com/.” Oops.
But honestly, I seem to enter my credentials for various sites so often these days it’s almost like a learned reflex. Of course I didn’t check the URL.
As Twitter spokesman Jim Prosser gently put it to me later in the day, “Socially engineered phishing attempts like this (e.g. you get a message from someone you actually know, as opposed to a random or otherwise previously unseen sender) are one of the most common ways people get fooled into compromising their accounts online.”
Yes, I changed my password. And after that, I went and finally signed up for 1Password to whip up some combinations of letters and numbers and punctuation that are extra-specially hard to crack. (And perhaps hard enough for me to remember that I won’t type them in, half asleep without looking at the URL.)
So no, I didn’t mean to tweet about “The fastest way to lose body-fat in 2 weeks.” But neither do you.