Twitter has been around now for over 3 years and along the way there had been many 3rd party applications and web services. At the beginning years these 3rd party applications and web services had required the Twitter users to provide their Twitter credentials to use the service.
This requirement of providing a 3rd party with my credentials of another service had never sit well with me. So I did not use any 3rd party web services that requires my Twitter credentials. This decision was frustrating to me, as during this time Facebook, FriendFeed and others had authentication services that does not require their users to provide their respective credentials to the 3rd parties. As a result I joined the 100s of others who requested Twitter adopt OAuth or alike technology for their site.
Finally beginning of 2009 we started to see signs of Twitter OAuth. This was promising, but now there are 1000s of 3rd party services who had yet to adopt the new authentication method. I then join the campaign to encourage as many of these 3rd party developers to incorporate Twitter OAuth as their authentication method instead of requiring the user’s Twitter credentials. Unfortunately, several months after the appearance of Twitter OAuth, we see a vulnerability in the implementation of OAuth, which slowed down this 3rd party adoption. With the cooperation of the member companies of the OAuth organization this vulnerability was quickly identified and resolved.
In the mean time we keep hearing stories of Twitter accounts being compromised, initially it was thought that these incidents came from within Twitter. Since Twitter had an incident where the Administrator password was hacked by a teenager using brute force method. But now stories like the most recent one, 1000s of Twitter Accounts Compromised in Latest Spam Attack, is becoming more and more frequent.
As always the most vulnerable security is through a third party. So try to refrain yourself from trying that latest Twitter service, if it does not use Twitter OAuth. Definitely don’t use your Twitter credentials as the login for the 3rd party service.
If you suspect your account may be compromised, change your password immediately.
Twitter has also responded by creating the “Security Best Practices” page for developers.