If you haven’t heard yet some scammers are harvesting passwords on Twitter through direct messages. You’ll get a direct message from someone you follow (whose account has already been compromised) that asks you to click a link, for one of many ever changing reasons. When you click the link, you’re taken to a page that looks like the twitter login page, but it is not at twitter.com. Unknowingly, many people enter their user name and password here at which point the hacker now has access to your account to send more direct messages.
Here’s where things get scary. A crafty hacker could also potentially break into your Facebook page, blog, or email. Once they have your user name and password, the can get your email address from your account details on Twitter. Then, they can head over to GMail, Hotmail or whoever you’re using and try logging in using the same password you use for Twitter. Unfortunately, there’s a good chance that this will work since studies have shown that many people use the same password for everything. So how do they get into your blog? If you’ve linked to your blog in the Web entry on your twitter account, the hacker now knows where your blog is, and they’ve got a relatively good password to try on it too. The same goes for Facebook, and anything else that you’ve ever linked to from Twitter, perhaps a Digg page or a MySpace page.
This is all speculation, but if you’re using the same passwords for more than one online service, be sure to change all of them if you’ve been affected by this attack.