Some Twitter users were lured into giving away their passwords in a phishing attack over the weekend. Lots of us received direct messages (DMs) that said "hey! check out this funny blog about you..." The link took you to a site that copied Twitter's front page. However, the trick was soon spotted, and the "don't click" warnings rapidly became much more annoying than the phishing messages.
Twitter dealt with the problem, its blog says, by reporting the offending domain. It also found a similar fake page for Facebook.
The attack could be by someone possibly connected with "Name : zhang xiaohu" in China, according to the domain registration viewed at Domain Tools. But since his phone number is in the contact info, I suspect it's not him.
Some people did log in to the phishing site, so Twitter reset their passwords.
It's always easy to accuse victims of being dumb, but Twitter users regularly type their Twitter passwords into third-party sites that have sprung up to offer dozens of utilities, some of which have been knocked together in a few hours. Indeed, one utility -- Twply -- was knocked together, launched and then sold on Sitepoint in a few hours. Whoever used the buy-it-now option and paid $1,200 now has a pile of Twitter IDs and passwords.
As Chris Messina and others have pointed out, Twitter ought to support a mechanism such as OAuth for "delegated authentication", and while it says it will, it doesn't. Yet.
