By signing in, users were having their accounts stolen, and used to send more of the messages to other victims.
Today, Twitter finally released a warning about the attack:
Over the past few days, Twitter has been helping folks victimized by a phishing attack. Phishing is a deceitful process by which an attempt is made to acquire sensitive information such as Twitter usernames and passwords. The bad guys masquerade as someone you trust and may send you a Direct Message (DM) with a link. This DM may say something along the lines of, "LOL that you??" followed by a link to a fake Twitter login page. If you enter your credentials on that fraudulent page, the phishers can sign in as you and trick more people.
Anatomy of A Phishing Scam
Generally a phishing attack against Twitter users breaks down to a three-part process. First, accounts compromised in the manner described above send out messages to all accounts following them. Second, accounts that are newly compromised send out more messages. Third, the scammers behind the phishing attack make an attempt at monetization by sending out spam links instead of links to a fake login page. We fight phishing scams by detecting affected accounts and resetting passwords. However, it's better to stop them before they start.
Avoiding Phishing Scams
We designed the Direct Message system so that you could only get DMs from accounts that you choose to follow—this cuts way down on spam and attacks. Our Trust and Safety team identifies and deletes spam accounts every day. Still, we recommend against indiscriminately following hundreds or thousands of accounts without having a look first. To learn how you can avoid falling victim to a phishing scam or if you have other questions about keeping your Twitter account secure, please read Keeping Your Account Secure at our help site.
Thanks Twitter!
Written by: Andre Yoskowitz @ 27 Feb 2010 0:36
