It looks like either Twitter or a third-party Twitter service was hacked today by an adult webcam site. Chances are that you have seen the following message in your Twitter stream at some point in the last few hours: “hey! 23/Female. Come chat with me on my webcam thingy here www.chatwebcamfree.com.” The constant stream of messages just stopped as we were writing this story. We have asked Twitter for a response and will update this post as soon as we hear more.
Update 1: According to security firm Trend Micro, the webcam site serves up “an obfuscated JavaScript that loads up porn related advertisments on the browsing computer.” It is still not clear how the Twitter users’ accounts were compromised, however.
Update 2: Here is Twitter’s reaction. Apparently, about 750 accounts were compromised in this attack. Twitter has reset these users’ passwords and deleted the webcam tweets. Still no news about how the hackers got a hold of the passwords.
For now, we recommend that you check your updates to see if this message appears in your stream. If it does, you’ll probably want to change your password immediately.
Twitter itself has a decent track record when it comes to security (though some celebrities’ accounts were hacked a while back), so we assume that this hack originated somewhere else, but for now, it is not clear how these hackers managed to get a hold of all of these users’ accounts.
The last Twitter ‘hack’ turned out to be relatively benign and just exploited a well-known security hole but didn’t actually steal users’ passwords or direct them to an adult site. Until Twitter’s oAuth implementation goes fully live however (Twitter is testing it with a select group of developers right now), users have to hand over their full Twitter credentials to every third-party Twitter service, which could allow a malevolent programmer to easily create a huge database of logins and passwords.
Update 3: looking a bit more into this, it seems like the same scam has appeared on IM services like MSN Messnger and also on Facebook.