Twitter recently announced a warning on their company blog about people sending private messages with links to a phishing site that pose as Twitter’s login page.  The site links to a bogus URL, twitter.access-logins.com, in hopes that the victim will re-enter their Twitter username and password without noticing that the URL is incorrect:

A few celebrity accounts may have gotten caught with the password phishing scheme, including Rick Sanchez of CNN, whose feed included a recent update: "i am high on crack right now and might not be coming into work today".

Other accounts include Fox News and Britney Spears as well, who also had bogus posts to their Twitter feeds.

Is it time for two factor authentication on popular social networking sites?  How about a fingerprint scan plus an RSA token key?  Anyone? Anyone? No? Bad idea? Okay, maybe you’re right.

Update #1: Twitter later announced in a separate update on their blog that the issue with the celebrity accounts being hacked (33 in all) was the act of a single individual, and not related to the phishing scam that was happening earlier.  According to the Twitter blog, the hacker took advantage of support tools that are intended to allow support engineers to help people who have forgotten their passwords.  They’ve since shut down the tools, and are taking the security breach "seriously."

Having both issues arise in such a short period of time is an unfortunate series of PR setbacks for Twitter, especially since they are still in the process of looking for a Product Manager to help them build a plan to become profitable.  As ReadWriteWeb posited earlier today, who would want to pay for a service which appears to be insecure and vulnerable to phishing attacks and backdoor account hijacking?

Update #2: CNN has additional coverage of the security issues and password phishing at Twitter, including commentary regarding Rick Sanchez’s account being compromised.  Rick’s account has been restored, and he will continue to use it as a way to communicate with viewers.

[Twitter Blog, c/o CNET News]

Filed under: Consumer Web, Security, Social Computing