Liz Gannes of All Things D had her Twitter account compromised earlier this week. Although the damage was minor, she wrote about the experience explaining how the account was compromised along with suggestions on how to avoid being a victim.
The first thing I saw when I glanced at my phone, bleary-eyed in bed on Sunday morning, was a direct message from a friend. It said “FYI this profile on twitter [LINK] is spreading nasty blogs around about you.”... When I clicked through from my phone to a page that asked me to log into Twitter, I entered my credentials...Hours later, of course...I saw the webpage I’d typed my Twitter password into was “http://itwtier.com/.” Oops
I've seen messages like this from my friends across social networks like Twitter and Facebook, some of them are very convincing. I've always wondered how the scam works. Thanks to Liz, now I know.
This yet again illustrates the importance of using unique passwords across multiple sites. If Liz used the same password on her Twitter account on multiple services, she's vulnerable to having those services compromised too. It also illustrates how a tool like 1Password can come in handy. In my case, I don't know my Twitter password, it's a string of randomly generated letters and numbers that I use 1Password to auto-fill. In the case of this scam, 1Password would have been my last barrier of defense in that it would not have recognized the domain "itwtier.com" and refused to auto-fill the password. One final warning to get the heck out of dodge.
Full disclosure: 1Password is a long time sponsor of Mac Power Users