2 of my 3 Twitter accounts asked me to reset my password this morning when I signed in. It seems that a third party application may have compromised accounts, but stories abound about what really happened.

What I can tell you is that I know enough about where to share my passwords that I didn’t accidentally give my credentials to a fraudulent site. I can also tell you that no one hijacked my account. My password is reset on both ‘compromised’ accounts and I’ve updated the legitimate applications I use to access Twitter.

I’m not quite sure why Twitter would be the target of a phishing attack. While they might be able to post what they ate for breakfast or follow a few celebrities (or whoever), no one can use my Twitter login information to access money or sensitive information. Not sure what the point to the whole Twitter phishing attack was, but I’m not too worried either. A minor inconvenience at worst, interesting blog fodder at best.

Update: Thanks to Malcolm for posting the following in the comments on one of our posts about phishing:

With the knowledge that many people use the same passwords across multiple sites, there is value in phishing ANY online login system. Because email+password can be identical on every site, any and every site is vunerable to phishing. Phishers need a single chink in the armour, if the phished person uses a hotmail/gmail etc email address for Twitter, there’s a high chance the email can then be comprimised with the same login details, and once you have the email you could wait for a ’statement’ email from a bank or credit card …

More online users know about phishing, while number of victims is up by 600% @ Tricerion Security Blog

What’s different this time is Google’s response to the attack, as well as a number of governments (like France and Germany) that made public announcements recommending that their citizens stop using Internet Explorer, since the attacks were targeting this browser’s vulnerabilities.

Online security is a lot like an inflatable balloon.  If you squeeze a balloon, the air will extend the part with the least resistance.  When it comes to security, attackers will most likely go the path of least resistance that promises the greatest rewards at minimum risk.  In this situation, I really don’t understand why advising millions of people to stop using a specific browser will somehow protect them from future attacks.  Let’s say everyone starts using only Firefox, or Chrome.  Are hackers going to give up and never write another exploit again?  Not only this boycott of IE is not going to be effective for the general public, but since governments usually use IE as their default browser in all of their institutions, imagine the logistics required to make the changes across the board.

Tricerion protects its users in a way that is completely independent of browser functionality and vulnerabilities.  Our graphic passwords are stored in a database in such a way that this information is not possible to interpret and reuse from the outside.  Effective authentication methods should not rely on specific browsers, nor should they be threatened by the vulnerabilities in other companies’ software products.