Black Raven Dragoons

[Zancarius]

So apparently my Twitter account that I never use (well, sorta--I had 13ish Tweets on there) had been compromised for a whole two messages. I got a notice today from Twitter indicating that was the case and promptly reset the password and deleted the two tweets.

What's curious is that I used a throw away password that I've used on probably 2 or 3 other sites I don't expect to use much (my own fault, I realize, but hey... I don't really like social networks), and I haven't touched Twitter much since 2011. Curiously, the e-mail also indicated that such compromises could be due to 3rd party providers that I've authorized to Tweet on my behalf. While I don't remember doing such, there's a possibility that I may have used the account to that end for development and testing purposes. I can't tell at this point, because Twitter may have wiped all the authorized apps from my account. Their e-mail indicates you have to do this manually, so I don't know; it's difficult to independently verify anything at this point without further data. All of my other passwords are either random or long passphrases, so it's of little concern to lose Twitter--it's more of an annoyance and a feeling of violation than anything else. But, it did give me an opportunity to go through passwords on sites I suspected used a similar (or the same) throw away and change them if needed.

Long story short: If you have an account on a social network, it's probably worth using a randomized password of acceptable length even if you never intend to use the account. Moreover, you should probably use something like KeePass to generate random passwords for every service, not just social networks. If one service is compromised, then the password won't affect anything else (and if it's random and lengthy, it'll be difficult to crack or brute force). The other moral to the story is that you should probably be cautious about what services you select to gain access to your account, even if you're only doing so to test something for someone else for (probably) paid labor.

I appreciate that Twitter sends out notices immediately, though. It's really nice. I might have to actually start using the account. It also gives me some ideas for software I might write, namely automatically resetting passwords if it looks like someone's account was compromised. The trick, though, is to balance the reset with ample evidence so users can't just forcibly reset someone's password for fun and games by flagging the account or posts from the account as spam.

[Grimblast]

I was wondering who that Shelton character was...

[Zancarius]

I know, right?

Full postmortem.

[Elade]

Sorry, I had to borrow your account to tweet about our forbidden love...of donut burgers.

[Grimblast]

[Zancarius]

Instant coronary...