One of the most frequent questions we’ve had recently is regarding the security of SocialToo, and if you store your password with us, will it remain secure? As you may already know, various phishing attacks have made their way around Twitter recently, and have put the issue of password security, in particularly around third-party apps, at the top of everyone’s minds. As always, we continue to recommend you be careful who you share your password with, always check the URL of the site you are entering your password on, and change your passwords frequently. Another good rule of thumb is to not use the same password on less-secure websites like Twitter as you would on a more secure website such as your bank.
While Twitter has not pointed the finger at any third party apps for these phishing attacks and hacks, they have made known that the issue is specifically related to a hosting provider that we at SocialToo.com are not using (We use Amazon EC2 services for all our servers). Regardless, we do take your security seriously. Here are some of the things we are doing to ensure you are in the most secure environment possible:
Frequent Database Reviews
At SocialToo, we review your data frequently, while maintaining your anonymity. We are doing our best to monitor various worm and hacker threats, and search frequently to ensure that your accounts have not been compromised. We are also keeping an open dialogue with Twitter. Were Twitter ever to catch something we had missed and notify us, we would correct the issue, immediately. As of this moment, not a single account on SocialToo has been compromised, and it would be quite hard to do so. We ask for a separate username and password beyond your Twitter username and password (or other social network) just to protect you from that. This way, were your Twitter account to be compromised, your SocialToo.com account could not also be compromised.
Vocal Advocates of Secure Authorization Technologies
For those that know me personally, you may have read some of my blog posts recently on the subject. I still argue that Twitter’s acceptance of OAuth would have stopped the phishing attacks seen recently. While I agree it won’t stop all phishing attacks, it would prevent apps such as SocialToo.com from being the cause of such attacks. We are one of the most vocal advocates on the Twitter developer mailing lists and elsewhere, and will continue to be a supporter of this, and other secure technologies. Twitter’s requiring developers to collect plain-text usernames and passwords is unacceptable in our minds, and the minute Twitter changes this, we will convert immediately so your data remains secure.
Continued Monitoring of Customer Complaints
Another thing that sets us apart from other services is we monitor your complaints and suggestions, religiously. It doesn’t matter if you address us or not, we are tracking mentions of our name, so if anyone mentions we could be the cause of such a phishing attack, we monitor each and every one of those complaints. To this date, every one of those complaints has been unfounded. We believe in personal service here, and my hope is that we can continue that personalized service as long as we are capable. If someone suggests we’re the cause of a phishing attack, or hacking attack and you question that, please do not hesitate to contact me personally at jesse@socialtoo.com.
Vocal Advocates of Source Detection Technologies
Another cause we are fighting for at SocialToo is to have Twitter enable clients to provide their source with DMs they send on behalf of users. Ideally, when OAuth is implemented, this should be a required feature, but for now we’ll accept optional. While we realize this will not stop Phishing, it will enable us to ensure you know which DMs are coming from our service (we will send it with 100% of the DMs we send on behalf of our users), and if anyone spoofs our name, or compromises our users accounts, we can know immediately. It will also give you, the user a little more information regarding where DMs you receive come from. If you think this is a good idea, would you please @reply @ev, @biz, and/or @al3x at Twitter and let them know you would like to see this? Tag it #dmsource so we can track it. We will be creating a bug for this shortly and you can star that when it is ready to show your support as well.
As you can see, we’re doing all we can to ensure your data is secure. I’m confident it will remain so, and you can feel confident in that. It’s a shame that we as app developers have to defend this stance, but I am confident Twitter and other social websites will do the right thing by implementing secure auth standards in the near future. When they do, we’ll be right there along with them.
(BTW, I’m creating a new category for this for Security – I’m sure this won’t be our last post about security!)
Image Credit: Miles Cox