Twitter Discloses Reason For Several High Profile Account Security Breaches: Support Tools Compromised

Several high profile twitter users' accounts were breached this today. Barack Obama, FoxNews, BritneySpears, RichSanchezcnn, LeoLaporte and others were all taken over. Some of the posts made by the hackers on these accounts varies from funny (FoxNews announced that Bill O'Reilly is Gay, RichSanchez said he was high on coke) to scams, (Barrack Obama offered prizes if you take a survey). The post from Biz over at Twitter is below:


Monday Morning Madness


This morning we discovered 33 Twitter accounts had been "hacked" including prominent Twitter-ers like Rick Sanchez and Barack Obama (who has not been Twittering since becoming the president elect due to transition issues). We immediately locked down the accounts and investigated the issue. Rick, Barack, and others are now back in control of their accounts.

What Happened?

The issue with these 33 accounts is different from the Phishing scam aimed at Twitter users this weekend. These accounts were compromised by an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can't remember or get stuck. We considered this a very serious breach of security and immediately took the support tools offline. We'll put them back only when they're safe and secure.

Reacting Quickly and Fixing the Problems

In addition to this Monday morning madness we're coming off a wacky weekend where lots of folks were tricked into participating in a Phishing scam aimed at Twitter users. In both cases, our on-call team was able to attend to the matter quickly and prevent too many people from being affected. Our support team is definitely going to have a busy week because we reset a bunch of passwords just to be on the safe side.

Could OAuth Have Helped?

We plan to release a closed beta of the open authentication protocol, OAuth this month but it's important to note that this would not have prevented a Phishing scam nor would it have prevented these accounts from being compromised. OAuth is something we can provide so that folks who use third party applications built on the Twitter API can access to their data while protecting their account credentials.

Obama launches iPhone app; US election good for Twitter

Obama Campaign launches iPhone app


Sen. Barack Obama's presidential campaign launched an iPhone application on Thursday that turns the vaunted device into a political recruiting tool. You can learn more about this app at the Obama iPhone app Web site.

The most notable feature "organizes and prioritizes your contacts by key battleground states, making it easy to reach out and make an impact quickly," according to the software.

On my phone, the application ranked contacts in Colorado, Michigan, and New Mexico at the top; at the bottom was a friend whose cell phone has a Texas number, though she actually lives in California.

The application anonymously reports back the number of calls made this way: "Your privacy is important: no personal data or contacts will be uploaded or stored. Only the total number of calls you make is uploaded anonymously."

The software is the latest effort by politicians to capitalize on technology, joining other examples such as ads distributed through YouTube, Web-based fund-raising, Facebook pages and fan groups, and e-mail recruitment drives.

The Obama for America iPhone application is available for download through Apple's iTunes store, said Raven Zachary, an iPhone consultant who's directing the launch effort.

A "get involved" feature uses the phone's GPS-based location sensing to find the nearest Obama campaign headquarters, and "local events" likewise pulls up a list of activities sorted by proximity.

A "media" section provides links to video and photos, but beware: YouTube showed errors following some of the links. Perhaps the newer videos hadn't been prepared for iPhone display yet.

The application also shows Obama statements to the news media and a guide to Obama's positions on various issues.

Additionally, the application shows how many calls have been made nationwide and how many you made. Those statistics are the kind that can motivate people--they can feel like they're part of something bigger. That may sound a bit silly as a motivational tool, but consider that Smule's Sonic Lighter application for the iPhone is popular, despite the fact that it costs 99 cents more than its free competition, likely because people can see where else on the globe people are using it and because the longer you run the application, the bigger your own spot on the map becomes. It's a kind of competition.


Twitter benefiting from US presidential election debates:


Twitter usage and sign-ups received a healthy boost during last Friday’s first presidential debate for the 08 campaign. The official Twitter blog reports that, despite Friday traditionally being a slow traffic day:

  • Friday updates jumped 18.5% from previous Friday.

  • Updates during the debate increased 160% compared to same time last week.

  • Signups on Friday were up 23%.

  • Signups during the debate were up 135% compared to same time last week.


Although, as Wired notes, the shot in arm for Twitter also co-incided with the company’s launch of a dedicated politics tracker - Twitter’s new Election 2008 site - and the blog/mainstream media attention that followed. Of course the fact that this has translated into increased sign-ups and use suggests that chicken or egg, the strategy is paying off.

Former Virginia Governor's Comment On Science At Convention Lights Up Twitter

Reposted from Wired

It didn't ignite the crowd at the Pepsi Center in Denver Tuesday night in the same way as Hillary Clinton's speech did, but the 2008 Democratic National Convention keynoter of former Virginia Governor Mark Warner lit up the micro-blogging service Twitter as its geek community celebrated a throwaway line in Warner's speech.

Warner, a former Capitol Hill staffer for senator Chris Dodd (D-Connecticut) and telecommunications entrepreneur, focused his speech on creating an environment that keeps America competitive in the global economy.

In a one-liner, he quipped: "Just think about this: In four months, we will have an administration that actually believes in science!"

It was as if Warner were acknowledging a constituency that feels as if the Bush administration had thrown a Harry Potter invisible cloak over it for the past eight years. Many members of that online constituency poked their heads out from under the cloak on Twitter.

"In four months, we'll have an administration that actually believes in science. lol, but YEAH!" tweeted kmcg.

"My fav from 2nite: 'Just think about this: in six months we will have an administration that actually believes in science'-Mark Warner; YES!" agreed tujaded.

Those were just two of a slew of comments on Twitter reacting to Warner's remark. Here's a quick summary:


  • jlangenbeck: "Warner's speech was fantastic. We have to fund and tech to save this nation and remain competitive,"

  • epolitics: "Diggin' me some Mark Warner.  Science! (poetry in motion)"

  • dagsalot: "I'm a big fan of former Gov. Mark Warner right now. 'Think, in 4 months, we could have a presidency that believes in science!' It'd be nice!"

  • twitterdoug: "Best line of Warner's speech so far -- In four months we will have an administration that believes in science."


During his talk, Warner also pointed to the importance of broadband rollout, education and job training to keep jobs from migrating to India, referring to his own efforts as governor to revive small towns in Virginia.

"We delivered broadband to the most remote areas of our state, because if you can send a job to Bangalore, India, you can sure as heck send one to Danville, Virginia, and to Flint, Michigan, and to Scranton, Pennsylvania, and to Peoria, Illinois," he said. "In a global economy, you shouldn't have to leave your hometown to find a world-class job."

The Democrats have made broadband rollout part of their party platform, and both Obama and Warner have expressed support for net neutrality.

Update: Loopt Responds To Privacy Concerns (Kinda)

Yesterday I made a post about how the new iPhone application, Loopt, was causing a lot of angst amongst some top bloggers, and people I admire, about their completely idiotic way in which they handle user invites. The main issue dealt with privacy concerns stemming people getting invites from people they didn't know - people who they hadn't given their phone number out to. The invites were sent, unsolicited, via SMS (a big no-no). Loopt has responded on their company blog, first making a small post that seemed to brush off the concerns without addressing the actual question. Later, when the uproar of complaints grew louder & more numerous, they attempted to quell the anger in more depth. iJustine's intitial post about the problem has now made Techmeme, which should accelerate awareness. This seems to be working already as InfoWeek has just written an article chronicaling the details of the problem.

Loopt SMS Invite Violate User Privacy

As many of you may or may not not no, Loopt the social networking "service" stalks your location wherever you go, and broadcasts it to your friends, but beware of the "invite friends" screen. Apparently a "bug" (yeah right) causes you to invite everyone through SMS spam, and there's no way to unsubscribe either.

Notable bloggers such as iJustine, Merlin Mann, & Veronica Belmont have been affected.

This is what Merlin posted on his tumblr:



The Loopt SMS Mess


[previously, on Kung Fu Grippe]

I have a post underway for 43 Folders on this Loopt.com SMS invite mess. I’m letting the post season for a day or three while I do some necessary fact-checking and try to verify the details of what sounds like a very confusing piece of GUI in the Loopt iPhone app which apparently makes it trivially — even accidentally — easy to send SMS invitation spam to multiples of people whose mobile numbers live in your Address Book. At the recipient’s expense. And without prior permission. And, apparently, without user confirmation. [This is Bad.]

I’m still trying to make sure I understand precisely how this works, but if Loopt is doing anything that involves sending SMSs without the recipients’ prior opt-in — and then refuses to do anything about stopping it — this will deservedly escalate into a pop-the-popcorn, old-school, privacy shitstorm. (And, no, I will not be signing up for Loopt myself because — well — I don’t want to accidentally spam everyone I know. I’m like that.)

Here’s one anecdote for you. Justine Ezarik — who’s had the bad fortune to have to change her phone number numerous times owing to creeps — is just one of the folks who unknowingly sent her phone number and exact location to “a large portion of [her] contact list”.

I’ll give you a minute for that to sink in, because if you’re a connected person, you may want to ponder the consequences of unintentionally sending creepy bullshit to colleagues and business contacts who are too busy to care what you’re “geo-tagging” at a given time. I know, because I’m one of them. Hi.

Justine said:

If there’s one thing that I hate more than anything, it’s sending out invites to a service. Especially one I’ve never tried and haven’t been actively using for more than 15 seconds.

Never once did I see a confirmation message that my friends would be getting an invite. The worst part about it is that my phone number was sent along with every invite as a text message to my friends. I just recently got a new phone number and I haven’t been as free with this as I have been in the past.

Very interesting comment in Justine’s post from Martin May, who is one of the founders of ostensible Loopt competitor, Brightkite. I will quote this in its entirety, because, if this is all accurate, it seems to cement my hunch that the Loopt folks have swallowed a fat, dewy booger with this one. Martin’s comment:

Disclaimer: I am one of the founders of Brightkite.

Thought I’d throw in my 2 cents. First of all, I’d like to say that loopt has done a pretty good job with their app, and you can tell that they’ve put a ton of work into it. Naturally, I think that ours will be better, but I’ll let you be the judge of that when we release it later this month

Concerning SMS spam: I was really surprised to see loopt violate quite a few of the MMA guidelines (http://www.mmaglobal.com/bestpractices.pdf) for SMS programs. The highlights:

1) Through the invite feature, the loopt app sends unsolicited messages to your contacts from their shortcode. According to the MMA guidelines, that’s a big no-no.

2) As some have pointed out, the loopt shortcode (56678) does not respond appropriately to HELP and STOP commands, as required by the MMA guidelines. Those commands are essential, and to be honest I am unsure how loopt got carrier approval without implementing them.

3) I couldn’t find information on loopt’s website detailing how to opt-out, another requirement in the MMA guidelines.

From what I understand, those “guidelines” are actually more than just guidelines, they’re requirements to get carrier approval. When we applied for our shortcode, we spent a lot of time making sure that we get these things right.

All that being said, I am sure that loopt will address those problems very soon. I know first-hand that it can be tough to get things 100% right at launch, especially in this new space, so let’s cut them some slack and give them a few weeks to fix things.

I haven’t yet seen a reason to share Martin’s very civil optimism — Loopt’s responses to people’s very real concerns about this stuff have so far consisted of friendly, beige, and very politely-worded blow-offs. So, the ball’s in Loopt’s court now as far as I’m concerned. I’m standing by, ready to be persuaded that this company has not leveraged my private data to build their userbase. At my expense.

For what it’s worth, deep in the bowels of their “Privacy Notice,” Loopt says (my emphasis in the last sentence):

”INVITE-A-FRIEND INFORMATION”: If you choose to use our invite-a-friend feature, then Loopt will ask you for your friend’s mobile phone number or email address. If you provide a friend’s mobile phone number, then Loopt will automatically send to that friend a one-time text message inviting your friend to join the Loopt Service and to add you as their friend. If your friend’s phone number is on a wireless provider and/or mobile device that is not supported by Loopt, then your friend will not receive this text message until their wireless provider and/or mobile device supports the Loopt Services. If you provide a friend’s email address, then Loopt will automatically send that friend a one-time email inviting your friend to register on the Loopt website. Your friend may contact Loopt at privacy@loopt.com to request that Loopt remove this information from our systems.

Well, that’s nice. You can email them. I sure did.

Friends, my patience with organizations that feel you should have to email them in order to not have your private information abused has passed the breaking point. If Loopt chooses not to see this nonsense as an invasive and potentially costly breach of many peoples’ privacy, then I pity the actual Loopt users who agreed to let these people publicly announce where they are all the time. Suddenly this goes from “potentially kinda creepy” to “Holy mackerel, what the fuck were you thinking?”

Loopt needs to step up, acknowledge this confusion, unconfuse-ify it, and then fix the goddamn hole. Turn it off. Like: quick. Wait for “weeks,” Martin counsels? That would be a real shame. Unless you’re feeling enthused by the prospect of unintentionally sharing your precise location with your exes, your old boss, that weird cat sitter you fired, or the sketchy halitosis dude you met at JavaOne in fucking 1997.

Maybe today I’m simply as old as I feel, but this kind of shit is just bone-chilling to me. And whenever companies shrug and try to make it seem like it’s somehow my responsibility to clean up the shit their half-assed “viral” business model left at my door? Man, that’s just galling to me. Galling.

Listen: if Loopt has something substantial to say about all this (beyond the solicitous spin mode they’re polo-shirting around in right now), I will happily link to it from this modest space. A lot of people I respect seem to love these guys and their app, so I hope the Loopt folks will do the right thing and own up to a seriously bone-headed move. That’s on them.

As I leave for tonight, though, I will once more point you to my thread about this at Get Satisfaction, where a number of people have jumped in to express their own similar frustration with this issue. If you have relevant information to share that would help illuminate what’s going on — especially if, like me, you’ve received an SMS via Loopt from someone you don’t know — I hope you’ll consider adding your thoughts to that thread.

More soon — and thanks for hearing me out.


read more | digg story