UK Web Focus (Brian Kelly)

Innovation and best practices for the Web

  • Email Subscription (Feedburner)

  • Twitter

    Posts on this blog cover ideas often discussed on Twitter. Feel free to follow @briankelly.

    Brian Kelly on Twitter Counter

  • Syndicate This Page

    RSS Feed for this page


    Creative Commons License
    This work is licensed under a Creative Commons Attribution 2.0 UK: England & Wales License. As described in a blog post this licence applies to textual content published by the author and (unless stated otherwise) guest bloggers. Also note that on 24 October 2011 the licence was changed from CC-BY-SA to CC-BY. Comments posted on this blog will also be deemed to have been published with this licence. Please note though, that images and other resources embedded in the blog may not be covered by this licence.

    Contact Details

    Brian's email address is You can also follow him on Twitter using the ID briankelly. Also note that the @ukwebfocus Twitter ID provides automated alerts of new blog posts.

  • Contact Details

    My LinkedIn profile provides details of my professional activities.

    View Brian Kelly's profile on LinkedIn

    Also see my profile.

  • Top Posts & Pages

  • Privacy


    This blog is hosted by which uses Google Analytics (which makes use of 'cookie' technologies) to provide the blog owner with information on usage of this blog.

    Other Privacy Issues

    If you wish to make a comment on this blog you must provide an email address. This is required in order to minimise comment spamming. The email address will not be made public.

Lessons From Twitter Spam

Posted by Brian Kelly on 1 Dec 2009


On Saturday morning I received a number of Twitter messages informing me that my Twitter account had been hacked, with a number of spam messages being sent from my account. The message (which I deleted as soon as I spotted it) read:

see if your iq is higher than mine. take the iq quiz here: {URL removed}

As can be seen from a Google search this spam message is to be found on many Twitter accounts.

Blog posts entitled “WARNING: New Twitter DM Spam Attack” and “IQ Quiz Mobile Scam Hits Twitter” provide further details about this spam attack. I have followed the advice provided in these posts and have changed my Twitter password. This advice was also suggested in tweets from @karenblakeman and @joecar who notified me of the problem as soon as they spotted it. But as I have previously suggested that it can be more effective to learn from problems rather than successes I feel I should explore the possible causes of the spam emanating from my Twitter account.

Using Third Party Twitter Services

The obvious suspect will be subscribing to a third party service using my Twitter username and password. “You shouldn’t divulge your Twitter username and password to other services” might be the obvious lesson to be learnt. And yet part of Twitter’s success is due to the way it has provided APIs which enable a thriving ecosystem to develop applications which enrich the core Twitter experience. Accessible Twitter, for example, provides an accessible Twitter client which is designed for use with assistive technologies. And to use the service you need to divulge your Twitter username and password to the service.


Ideally such services would support OAuth which, as described in Wikipedia “is an open protocol that allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their username and password“. I’ve noticed a number of tweets over the last couple of days which have been generated by the Tweetcloud service, which provides an example of a service which you authenticate to using OAuth.But what do you do if OAuth isn’t supported? Over time, as more services start to use OAuth, this probably won’t be an issue. Until then, however, I think there is a need to acknowledge that people will use their Twitter credentials with other services and, as is likely to be the case with Accessible Twitter, users will benefit from their use of the service and the service will manage the third party’s username and password as it would its own. But when accessing such services there will be a need to consider the risks – your account could, potentially, be compromised and you could find yourself apparently spamming your followers.

It Was Phishing!

Chris Sexton was another victim of the Twitter spam. And as she described in a post entitled “Gone Phishing” the problems was actually due to “a very straightforward phishing scam“. It seems that we may have followed a link which took us to a spoof Twitter login page and this was how our password were stolen. Further details are given in a post on “How to prevent your Twitter account from being hacked!“.


As Chris described: “I use tabs in my browser and have lots open at once, and sometime in the next few minutes went to one which looked like a Twitter log in screen – so I typed in my user name and password. Duh.” Indeed. And like Chris I have multiple tabs open and use multiple devices. We’ve both learnt a lesson of the dangers of too much multi-tasking!

But Let’s Not Forget Other Risks

This episode may have proved helpful in providing a reminder of the dangers of phishing sites – and I hope this post proves helpful to other Twitter users. But there are additional risks to be aware of. For example your Twitter account could be compromised if you lose you mobile phone, or leave it unattended. And, as we have seen with email spam, potentially posts could be spoofed so they appear to have been sent from your account. So there’s also a need for one’s followers to be aware that Twitter posts may not have been sent by the owner of the account.

Twitter conversation from Topsy: [View]

3 Responses to “Lessons From Twitter Spam”

  1. Kathy Sperl-Bell said

    Great post with wonderful advice. We all need to be careful out there!

  2. Ryan said

    Another interesting read about Twitter spam:
    We are social

  3. […] spammers have it. Knowing how spammers get their info is the first step in avoiding their tricks. Read more about how to keep your info safe at UK Web Focus […]

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: