CATEGORIES
- WEB STARTUPS
- CONFERENCES
- WEB JOBS
- MICROSOFT
- INTERVIEWS
- VIDEO
- AMAZON
- ALL TOPICS
CONTRIBUTORS
What’s Up With Multiple Twitter Password Reset Emails?
A friend of mine forwarded an email he received from Twitter this morning. The email (shown below) notes, “Due to concern that your account may have been compromised in a phishing attack that took place off-Twitter, your password was reset.” He went to the link in the email and reset his password. The same email was sent two additional times with different links meaning that his password was reset at least three times. He has never shared his Twitter password and only uses a few trusted third-party apps using the oAuth protocol.
Checking Twitter search for password reset, it appears others are having a similar issue. Here are a few sample messages:
- HazardousInk: For some reason Twitter had to tell that my password was reset 23 times.
- danielkorn: Anybody else have to reset their Twitter password today? – has I got hax0red?
- hannahnicklin: Got email saying password was changed, ignored as phishing but they had! Had to use “reset password” to get can’t post use clients for 1hr.
- cristianciofu: motivul: Due to concern that your account may have been compromised in a phishing attack that took place off-Twitter your password was reset
- airdate: “Due to concern that your account may have been compromised in a phishing attack that took place off-Twitter, your password was reset.” huh.
- zakkain: Had a password scare just now. Goddamnit, Reset it, seems to be fine. Changed all my web passwords to be safe anyway. Whew.
So what’s going on? What does “took place off-Twitter” mean? I assume it means some app or 3rd party phishing attack. My friend thinks Twitter should include more details in the emails they send so that users can make any changes or inform others as needed.
Update: Jimmy Gardner at Tech Cocktail has posted regarding this issue as well.
This is worrisome. A site like TipTop http://FeelTipTop.com can also help to shed light on what might be going on. For example, take a look at http://www.feeltiptop.com/password%20reset/
Are we sure this isn’t a phishing attack in itself? We’re sure that the e-mail was genuinely from Twitter?
i can only say that the emails have the twitter.com url.
yeah it was twitter emails, the first thing I checked. Also it was only when I tried to login to twitter I found out my password had been changed and then checked my email and there were emails from twitter.
[...] Thats reassuring isn’t it ? So I can only assume Twitter had some sort of security breach as I DID NOT respond to any phishing emails .. I think someone over there needs to come clean as there are others have the same issues according to this post over at Centernetworks. [...]
I had that same issue on one of my secondary twitter accounts.
Then my tweetdeck told me that my password had been reset on my main twitter account, and clearly I had not changed it….
I cannot even use the page to reset my password, it tells me my account reset has been locked.
I have a support request open, but no word yet …
Sucks