The text message from my youngest brother was a slap in the face: “You promoting scams for stay at home Moms or has your Twitter account been hacked”. Umm, the latter. Someone had posted SPAM from my Twitter account. Emotionally I had a flashback to when I discovered my briefcase (complete with laptop, passport, etc.) had been stolen a couple of years ago. Someone getting into my Twitter account was no big deal, but the potential implications were enormous. If they had my Twitter password then what else did they have? Could my email, bank account, and other critical personal accounts be at risk? Was one of our computers infected with malware and thus a continuing threat?
What exactly to do in these situations turns out to be far more complicated than we’d like to believe. I took the obvious first step in deleting the offending tweet and changing my Twitter password, but what should I do next? I could go change all my passwords, but what if the computer I did this from was infected with malware? In that case changing my passwords would actually be exposing the new ones! And if my computer wasn’t infected then how was my Twitter account compromised?
I decided to take a two-prong approach, aggressively checking every computer I owned for malware while thinking through the possibilities around the breach. I made sure I had the latest signatures for both Microsoft Security Essentials and Immunet and had them each perform a full scan on each computer. Nothing. I downloaded and ran two standalone Rootkit detectors, Sophos Anti-Rootkit and GMER. Nothing. Finally I rebooted each of the computers (except the one with full drive encryption) with the standalone Linux-based Bitdefender Rescue Disk, updated the signatures over the network, and performed a full scan. Nothing. Apparently the computers are clean.
While all this was going on I was thinking through how the account could have been hacked. To complicate matters, I’d been out of the country for 3 weeks. Could I have slipped up and exposed my password(s) over an unprotected WiFi network? I was quite careful during this trip, using my VPN whenever I was accessing a password-protected site over WiFi. And I have Twitter set to always use SSL. Not only that, I don’t recall logging in to my Twitter account during the trip! Looking at my account the only posting I made was an indirect one, where WordPress posted a link to a blog entry. Could WordPress or the WordPress->Twitter connection have been compromised? I’ve changed my WordPress password as another precaution.
The Twitter Help Center contains this little tidbit:
Unexpected updates don’t always mean that your account was hacked. Occasionally, a third-party application can have a bug that causes unexpected behavior. If you see strange behavior, changing your password and/or revoking connections will stop it, as the application will no longer have access to your account.
Could that be it? Could one of the apps with access to my account have been used to post to my Twitter account? Actually, I’m hoping this is the answer. I went and disabled access for those apps that I don’t use regularly such as TweetMeme and DISQUS to reduce the “attack surface”. But this is a precaution, not an answer.
There are other scary options. What if I fell victim to an evil-twin attack wherein I was connecting to a rogue WiFi hotspot rather than the one I thought I was connecting to? Worse, you can evil-twin a mobile basestation and I don’t generally use a VPN when accessing a network over 3G. Was what seems like largely just a theoretical threat here in the U.S. a very real threat in (for example) Russia? Or what if my personal VPN provider’s servers have been compromised? BREATHE!
I don’t think I’ll ever have an answer, and since there are no signs of other unauthorized activity anywhere I’m starting to relax. But what really keeps going through my head is this: if someone who is fully aware of the threats, and is careful to mitigate against them, can be compromised then what about the other 99.999% of people out there?