Twitter convenience vs. security – a cautionary tale

Last Thursday ended up being a very interesting afternoon.  During lunch I went out to run some errands.  At one point (while waiting at a red light) I checked Twitter to see the following:

I’m grateful that @AppraiserJenn took the time to let me know.  A few hours before I had tweeted a link to a blog post by Rachel Happe (@rhappe) on the Community Maturity Model using the bit.ly link shortening service.  I’ve had great luck with the bit.ly service so I doubted the problem happened with them, but since I was on the road and couldn’t look into it — I was concerned.  At another stop light I tweeted apologies, then rushed back to work to see how bad the damage was.

Back at work I finally saw the mystery tweet, which was supposedly sent “from web”.  Problem is, it was sent while I was driving.  And I didn’t send it.

That was enough to convince me somehow my account had been hacked.  I immediately logged in to change my Twitter password (took 5 tries because Twitter was again “over capacity”).  I also went into my profile to see what applications/services I had authorized (under Settings/Connections).  Changing my password was probably enough, but I was feeling a bit violated.

I’m a pretty trusting person and love trying out new services, so I’ve very freely been entering my Twitter username and password many places.  Why copy and paste when I can just click “tweet this”?  Until I forget about this eventful Thursday (which I’m sure I will), I’m only using my desktop Twitter client, BlackBerry client, and TwitterFeed.

What can you do to prevent this from happening?

1. Pick a real password!  Easy to remember, hard to guess (which mine was)
2. Be careful who you give your username and password to (which I wasn’t)
3. Change your password periodically (I’m very bad about this)
4. Don’t use the same password for everything (now working on changing them all)

Twitter is also trying to help us by creating OAuth, so we won’t have to give out our passwords to use 3rd party sites/services.  When you want the 3rd party application to have access to your Twitter account, that app calls Twitter and Twitter manages the login process.  Twitter remembers what applications you’ve authorized (TwitterFeed uses this service), so you can go into your Twitter settings and revoke access at any time.  No password was given to the 3rd party site.

-k

(for those wondering, my curiosity got the best of me late in the day and I clicked the link.  Let’s just say it’s about “male enhancement”. Definitely not safe for work!)