In the official post, Twitter security team member Bob Lord lays out a timeline of the attack, its underlying cause and the scope of its reach.
As we noted earlier this morning, using cross-site scripting (XSS), malicious users were able to exploit a security hole on Twitter's website. The result was that thousands of users found themselves redirected to other websites, and that they were automatically sending tweets to pass the exploit to others.
This type of attack was particularly nasty because it could be exploited simply by hovering over a link on a page. In my own case, merely visiting the Twitter homepage was enough to set off a pattern of auto-tweets.
Twitter says that it discovered the hole that led to the exploit last month and patched it. However, a recent update to the site (which Twitter stresses was not related to the new Twitter) caused the hole to resurface.
The exploit only affected Twitter.com users and not anyone using the mobile web site or third-party Twitter apps. Twitter says it was notified about the security hole at 2:54 am PT and had the most significant aspects patched by 7:00 am PT.
The microblogging service also says that it appears that the vast majority of uses of the exploit were for pranks or promotional purposes. Lord writes that Twitter is unaware of any issues related to the attack that would have any impact on a user's computer or Twitter account. No account information was compromised, so changing passwords shouldn't be necessary.