Tell HN: It might be a good time to change your twitter password.

[paulgb]

Something odd seems to be going on with twitter. Accounts are posting a message that says "Today was so exciting! Made $124 in 20 minutes! if ur interested, go read: [spam link]"

http://twitter.com/#search?q=%22today%20was%20so%22

The posts started a few hours ago, stopped for a while, and just recently started again. It may be that a 3rd party service was compromised, so if you've given your twitter credentials to another web site, it's worth the time to change your password. The volume (many thousands of accounts, including people I know who would not be inclined to sell posts) and nature of the posts seems to rule out the possibility of a paid posting service.

[jkincaid]

Here's a question I've had for a while now. It may sound naive, but I'll ask it anyway: Given the way Twitter is set up to track current trends, shouldn't it be really easy for them to identify when one identical tweet gets repeated hundreds or thousands of times at once? Obviously sometimes such tweets are legit (especially in the case of retweets) but it seems like this should be fairly easy to flag and delete quickly.

[alexfarran]

They're suspending people's accounts pretty quickly if they tweet the google cash scam.

[matt1]

The spam points to a site that says it was "As seen on MSNBC, CNN, ABC, CNBC, and As Seen on TV"... With such credentials, how could it not be legit? Plus it only costs $1.95 to get started!

/sarcasm

[kitcar]

I was under the impression that all the major social APIs (facebook connect, twitter, etc...) terms of service prevent 3rd party services from storing any data for more than 24h?

[swolchok]

"Thou shalt not" is not a security policy.

[ivey]

That's Facebook. Twitter has no such policy.

[sriramk]

I know of atleast one person whose account has been compromised. He swears he didn't give out his creds to any service. My guess is this is a 0-day being exploited

[abyssknight]

I remember this being discussed at Defcon. Wouldn't surprise me if someone managed to script a JavaScript DDoS worm. It really wouldn't be too hard to do.

[raid5]

I first saw this about a week ago, so it has been happening for some time now.

[varenc]

Could be a cross site scripting vulnerability in twitter, doesn't necessarily mean that those users passwords have been compromised...but you can never be too safe!

[lukeofman]

Well lets assume for a second that it is instead a service that got compromised... unless you use a bad service that saves your password, they are using auth tokens which may not necessarily stop working just because you change your password.

[nickfox]

I would also beware of friending really cute girls that friend you first. And here I thought they were actually interested in my mind...

[ludwig]

Yeah, it turns out they were only interested in my body all along...

[il]

Might just be an affiliate spamming Twitter. You should complain to the advertiser they are running the offer with- they will get kicked off and not paid for spamming/noncompliance.

[omfut]

weird. I changed my twitter password and something went crazy. I tried starting my tweetdeck, it failed to connect for obvious reasons. It had my old password. After this, twitter would not allow me to log in again. Here is what i see on twitter screen: Locked out! We've temporarily locked your account after too many failed attempts to sign in. Please chillax for a few, then try again.

[oomkiller]

Yeah, Tweetdeck or something else that used the old password got your account locked out. This happened to me! You can get around it by going to http://help.twitter.com/portal and using the log in. It allows you to login even if you are locked out, and if you login there apparently it sets up a session or cookie that logs you into the main site. Pretty much makes the lockout thing useless!

[mp3jeep01]

Seems that doesn't even work anymore...Twitter seems to be completely dead...anyone else having trouble accessing it?

[eli]

Probably just (another) cross-site scripting exploit