Twitter Refuses to Warn Users But Accounts Hijacked Hacked Scam Website

by copythis

Yeah, Twitter accounts are being hacked--and, yeah, Twitter knows about it. The company knows accounts have been compromised for a month. But Twitter refuses to notify users that consumerwarningsreport.com is hijacking user accounts, even sending tweets from those compromised accounts--leading to a scam website for making $6,795 per month as a stay-at-home mom.
 
Somewhere from June 2011 (at least June 16, 2011 according to reports from Twitter users with hacked accounts) until now (July 14, 2011) numerous Twitter accounts have continued to be hacked or hijacked by an entity apparently related to the scam website of consumerwarningsreport.com. Twitter users had tweets sent out about the company -- from their own Twitter accounts.
 
It's about time someone asks the social networking website why its' not warning its own users about a worm, bot or whatever method is allowing Twitter accounts to be hijacked. The company needs to provide some answers as to why it refuses to properly notify, or warn in any manner, its users.
 
If users had a clue about how accounts are being hacked, they'd at least have the opportunity to keep an eye out for potential issues and immediately stop spam tweets that link back to the scam site.
 
Twitter's the only entity who knows exactly how hackers are getting in and how accounts are being hijacked -- and that also makes the company the only entity that can help its own user base protect their Twitter accounts, whether that's by increasing or changing security passwords, etc. And if f there's nothing users can possibly do to help the situation, Twitter at least needs to be honest and tell users what is going on or that the company is working to combat or contain the issue that's been occurring for a month -- from at least mid-June through July 2011. Hiding the problem is not ok. It seems Twitter is allowing its users accounts to be compromised and, apparently, hiding that fact.
 
There's no excuse -- for the lack of notification -- that you didn't know how to get the word out, Twitter: Remember, you're a social networking site so that 'word' could've been out in seconds via tweets. That is, if you'd been honest.
 
The Twitter email simply tells the user that the account password needs to be changed. The email does not, in any way, indicate that Twitter's highly aware of why they were alerted to a compromise, nor does the company bother telling a user that the issue's going on with multiple accounts. Just a vague email. If a user bothers Googling the hacker's website name sent out via tweets, numerous search engine results pop up -- all over the identical problem. Nice, Twitter.
 
So how's Twitter handling its security breach? Not very well apparently. If the problem was contained, the site wouldn't have had any problem in notifying users of the hijacked accounts that been occurring for many weeks. Instead, Twitter's sending out an email -- in a one-by-one scenario it seems, indicating the company's got a hunch someone's "compromised" the user's Twitter account. Of course you've got a hunch of a "compromise", Twitter, because your site in fact had MANY ACCOUNTS COMPROMISED in hijacking of Twitter accounts that's gone on for MANY WEEKS NOW. C'mon, Twitter -- you know this has been going on for at least a month; Google shows cached complaints from back in June.
 
The email doesn't say why the account was compromised or how someone was able to get into the account. And that's the other aggravating part:
 
Twitter users who go to the company's help page on the topic of "My Account Has Been Compromised" will find a list of reasons that all put potential blame back on the Twitter user as to accounts being compromised. Not one of those reasons indicates the social networking site could really be to blame.
 
The Twitter help page says: Protect your Account with Simple Precautions! If your account has been compromised, do take these additional precautions:
 
USERS SHOULD: "Delete any unwanted Tweets that were posted while your account was compromised."
 
USERS SHOULD: "Scan your computers for viruses and malware, especially if unauthorized account behaviors continue to be posted after you've changed the password."
 
USERS SHOULD: "Install security patches for your operating system and applications."
 
USERS SHOULD: "Always use a strong, new password you don't use elsewhere and would be difficult to guess."
 
USERS SHOULD: "Visit our Safe Tweeting page for more information on avoiding hacks and phishing."
 
The only problem: This issue has to do with what TWITTER SHOULD have been doing or doing now: Instead notice that every one of the above has to do with security on the user's side -- all the hoops Twitter wants its users to jump through. Only THIS DOESN'T HAVE TO DO WITH THE USER: THIS IS A SECURITY BREACH ON TWITTER'S SIDE. PERHAPS, TWITTER, YOU NEED TO BE TELLING YOUR USERS WHAT PLANS YOU CHOOSE TO PUT IN PLACE, TO STOP USER'S ACCOUNTS FROM BEING HACKED ON YOUR NETWORK.
 
Aside from allowing additional users' information to be compromised by not telling its user base, Twitter's also allowed the scam website to boost its ratings and gain ground -- more than significantly: The consumerwarningsreport.com site's now ranked within roughly the top 20,000 in the United States with an Alexa rating and stats that show more than a 30,000%-percent increase in traffic -- from just the past couple months. That'd be a 30,000 increase from a scam site, Twitter. Legitimate sites can thank you -- a hell of a lot.
 
Quantcast shows a traffic increase for consumerwarningsreport.com that went from basically zero to a sudden leap (magically to some, but obviously not to Twitter) that literally skyrocketed in June and July 2011 to thousands of visitors. Hmmm....wonder where that huge boost in traffic for a piece-of-crap, spam website is coming from, TWITTER. But surely you know -- since you're aware that your own users are being compromised and that consumerwarningsreport.com is actually accessing users' Twitter accounts to send out tweets about their own scam site.
 
The scam site consumerwarningsreport.com -- responsible for the hacking or hijacking -- used users on Twitter to go ahead and send out tweets with links to its scam site, which allowed the website to boost its search engine ranking and ratings in an outrageous way. Basically the scam company profited off of Twitter allowing the problem of hijacked accounts to continue -- through letting the company send out more and more tweets from more and more accounts, and all that hard work of hijacked accounts paid off. The scammer's now ranking higher than legitimate websites because Twitter refused to stop the game early on. Twitter basically sent a ton of extra visitors to the scam site -- all through allowing the links to be posted and behavior to continue for a month without admitting the problem.
 
Here's an idea, Twitter: Rather than sending out a simple email that makes it sound like you've got not clue what's been going on, with vague reference that you think an individual user's account may have been "compromised", perhaps the more ethical response response is to be straight-up: Tell your users that not only are they not at fault (since you know who is -- and this is a security breach on your side that you have full knowledge has been occurring) and that they're not alone. In fact they're far from alone. But you already know that.
 
Maybe letting users know, in a mass notification or tweet, that you're working on the problem would be helpful -- but, then, that'd be letting the cat out of the bag. If you can keep it a secret, why not? Who cares if other users have their personal account information breached and account control taken over by another entity?