Twitter, the micro-blogging service, is finding scammers can find a way of stealing identities even when they have only 140 characters or less to work with.
On Saturday, the service put out a warning that users may receive direct messages from services with links to what is purported to be Twitter, which could encourage them to give away their login information.
It cites specifically http://twitter.access-logins.com.
Blogger Chris Pirillo also drew attention to this and another scam in this post.
Twitterers have already had their hackles raised this week by twply.com. It offered a service that promised to forward personal Twitter messages to users’ inboxes.
Users have become accustomed to trusting their login information to enable similar add-on features offered by the ecosystem of Twitter developers.
However, twply abused this trust by using the account information to send out its own message via the user who had just signed up.
“Just started using http://twply.com/ to get my @replies via email. Neat stuff!,” was the tweet, making it appear that this was a personal recommendation and encouraging others to sign up.
Another service, MrTweet, was guilty of a similar abuse last month, sending out from users’ accounts:
“Checking out @MrTweet, my personal assistant for discovering the great followers and influencers in my network!”
The spread of identity theft and spam to Twitter may appear inevitable, but it has come as a shock to Twitterers who have fallen victim. The implications are that users may be more cautious in future in signing up for the constantly appearing add-ons for the service and such services may need to be more upfront about how they will use login information.
Twitter itself should be asking itself what it can do to safeguard users from having their logins stolen and used to generate spam. It has offered a plain vanilla service thus far and relied on others to develop its many bells and whistles.
These incidents are exposing this as a weakness – security is a basic requirement to maintain trust and Twitter has abdicated responsibility to some extent by leaving others to develop services that leverage the logins of its users.
All it is offering at present is the advice that users should change their passwords if they think their account has been hijacked.
