Social networking tool Twitter was hit by a major hacker attack on Monday, with several "high profile" accounts -- including that of President-elect Barack Obama -- taken over by computer criminals, the firm said.
The hackers then impersonated a series of famous users by sending out fake, sometimes embarrassing messages.
Among them was a Twitter message posted on CNN anchor Rick Sanchez's blog that said Sanchez "might not be coming into work today," because of drug use. The message was quickly removed.
A later message on Sanchez's Twitter account said, "Sorry loyal followers. Someone hacked us for a moment there." Sanchez is among Twitter's most popular users, and incorporates the service into his afternoon show on the cable network.
A spokeswoman for CNN said the network would issue a statement on the situation shortly.
Obama's Twitter page urged visitors to take an online survey and win a gas card, but the link actually sent visitors to a site that pays commissions to affiliates who generate traffic.
Other Web surfers suggested that several other high-profile users also were hit by hackers. Britney Spears' Twitter page included obscene language. A note critical of anchor Bill O'Reilly was apparently posted on the Fox News Twitter page.
Twitter acknowledged the hack, posting on its corporate blog at about 1:30 ET that "we have identified the cause and blocked it."
The San Francisco-based company said that 33 accounts were compromised "by an individual who hacked into some of the tools our support team uses to help people do things like edit the e-mail address associated with their Twitter account when they can't remember or get stuck." Sanchez and Obama are now back in control of the accounts, Twitter said. The company also said that Obama had not posted to the Twitter page since the Nov. 4 election.
Also, a phishing attack
That high-profile hacks weren't the only problem Twitter had on Monday. The firm also suffered a first-of-its kind phishing attack over the weekend.
The firm said the phishing attack was "unrelated" to the high-profile Twitter impersonation.
Thousands of Twitter users reported receiving messages urging them to visit a Web page with the message: "Check out this funny blog about you." Others received a similar message that said, "Hey, i found a website with your pic on it. … LOL check it out here twitterblog." On Monday, another phishing message said users could win an iPhone by clicking on the message.
Users who clicked on the link were asked to log in to Twitter. The site they were directed to mimicked the real Twitter site, but was actually controlled by hackers and apparently designed to steal Twitter passwords. At least some of those who fell for the ruse had their accounts hijacked and used to send out more phishing e-mails.
Phishing e-mails are hardly new, and many Web users have become too sophisticated to fall for traditional e-mail phishing scams. But the Twitter phishing messages were more believable, for several reasons. They appeared to be sent by a trusted user. And Twitter users can log in using third-party sites.
"If you are a Twitter subscriber you should be aware of these recent phishing efforts and how to protect yourself," said Marian Merritt, a security expert at Symantec Corp.
Twitter allows users to connect with each other through short, 140-character messages similar to cell phone text messages. The service says it has 6 million registered users, though the number of active users is less. Similar to Facebook or MySpace, users agree to subscribe to each other's "feeds," and can follow each other's daily lives through the short notes.
While having a Twitter account hijacked might not seem that dangerous, it obviously can be detrimental to high-profile users. Also, nearly half of all Web users use the same password at all Web sites they use, according to security firm Sophos, meaning Twitter users who fell for the phishing attack may also have put their online banking accounts and other financial accounts at risk.
Twitter is urging users to change their passwords in response to the attack.