Today I arrived at work and discovered that someone had been sending unauthorised direct messages (DMs) from my Twitter account. These messages were of the form “This you???? <URL>”, where the URL is a shortened URL which led to a site designed to phish for Twitter password details. I can see these messages by looking at the Sent list of my Direct mesages, and it appears that has been sent to a random selection of over 100 Twitter accounts (some of whom I follow, some I don’t recognise).
Firstly, apologies to everyone who received one of these messages and who was inconvenienced by it.
This is a known scam, and there are recognised steps to take if it happens to you. But it made me realise how awkward it is to clear up the mess an incident like this causes, and the impact of the breach of trust that inevitably occurs when people think that I am sending them malicious or junk messages:
- It’s embarrassing for me, as people are at best annoyed with me because a stupid message was sent from my Twitter account, and at worst have their security details compromised because they trusted what I ‘apparently’ sent them.
- It may affect my reputation, and lead to people unfollowing me, or otherwise unengaging with me because they don’t trust me any more.
- It wastes the time of people who are decent enough to alert me, either by direct message, twitter post or email, to say that they believe I sent a dodgy message. 20 people contacted me to tell me about today’s problem, and I am grateful to each of you for taking the time to do so.
I sent an apologetic tweet as soon as I realised what happened (I thought it better not to use DM to apologise!). But people continued to respond after that. I apologised again 7 hours later to catch those who hadn’t seen the first tweet.
So apologising effectively is really difficult! Twitter is a global community covering all time zones, so people might miss my apology tweet because they were asleep, or away from their PC, or just because it was lost in the crowd. Yet the personal nature of a DM is much more likely to compel someone to act on it (firstly to discover it’s spam, and secondly tell me so).
So what’s the most efficient way of telling everyone “I’ve been hacked. I’m sorry. Please ignore my recent DM”? Should I temprarily change my Twitter profile’s description (which people might not notice)? Or send regular apology tweets (potentially annoying followers who already know)? Or should Twitter provide some additional way of allowing me to alert everyone with information of this nature?
This is of course likely to be a problem for any social networking/communication system that has exploitable security flaws – how we go about cleaning up the damage caused by spammers to human relationships. Thoughts are welcome via the comments facility – and thanks to WordPress’ use of Akismet, uninvited spammers are likely to be kept well away from the conversation.