Weight loss spam is once again being massively spewed out from compromised Twitter accounts, but the question on everyone’s mind is how the accounts got commandeered by the spammers in the first place.
Apparently it was first noticed a few days ago, when a reporter of the Sydney Morning Herald spotted that the Twitter account of his friend sported the following message: “I lost so much weight with this secret trick! [link removed]”.
Knowing that the friend in question is both tech-savvy and paranoid, the two went through possible compromise scenarios together. Having rejected the possibility of her having been phished and her password having been brute-forced, and taking into account the scale of the spam attack, they concluded that a third-party service that had access her Twitter account was likely compromised.
The theory seems very likely, as a similar spam message (“If I didn’t try this my life wouldn’t have changed. [link removed]” has been spotted being spewed out from random Twitter accounts on Wednesday and Thursday, and the message contained the tag “via weheartit.com.”
We Heart It is an image-based social network for organizing and sharing inspiring images, and they confirmed that their application is one of several that have been “impacted by a hacker using connected Twitter accounts to send out falsified Tweets.”
“It appears that only a small fraction of We Heart It’s users were impacted by the ‘spam’ hack and at this time, we have no indication that any of our users’ personal information was compromised as a result of this attack,” they pointed out, and added that they are working both internally and with Twitter to investigate the root cause of the compromise.
They have also temporarily disabled and then later restored access to We Heart It via Twitter accounts.
Commenters on posts and on Twitter are speculating that the cause of the hack, but it seems almost definite that the accounts were compromised after a website or service that had access to them was breached.
So far it seems that the pages to which the offending links point to are not malicious per se, but users are advised not to visit them nonetheless.
In any case, changing your Twitter account password to something long, complex and unique is a good idea, as is going through the list of apps and services that have access to it, and prune it to the absolute minimum. Consider also enabling Twitter’s two-factor authentication option (if you can).