Last week’s flurry of Twitter DM spam from hacked or phished accounts wasn’t the first instance of that and won’t be the last.
As long as people are willing to trust their Twitter log-in information to third parties – and don’t look carefully at URLs before they log into websites – and as long as a small number of bad actors want to pee in the social media swimming pool, this kind of thing will continue happening.
And it’s not just the log-in-here-and-we-will-steal-your-password.com’s of the world you have to worry about. Legitimate third-party services whose security isn’t up to snuff could be compromised, and your credentials could be stolen from them. Twitter’s use of OAuth is a big step forward… although the rash of Mobster World spam shows that that isn’t a perfect solution either.
Apparently there’s no substitute for ruthlessly and constantly policing your own feed, thoroughly investigating services before you sign up for them, double-checking the URL every time you are about to enter info into a form, and regularly purging your OAuth settings of services you no longer use.
Also, to be safe, change your password regularly… you don’t have to be obsessive about it: every three hours or so should be enough. And because erring on the side of caution is always a good idea, fake your own suicide and change your identity at least once a year.
And you thought Twitter was going to be fun? Slacker.
