A third-party Twitter tool breach last night resulted in Nazi spam on high-profile accounts.
Twitter Counter this morning acknowledged that "our service was hacked" and that it has "taken measures to contain such abuse."
"Assuming this abuse is indeed done using our system, we've blocked all ability to post tweets and changed our Twitter app key," it said. "The Twitter Counter application is blocked on Twitter. If this activity continues, then we strongly believe it's not just through us."
Twitter Counter is a statistics and analytics service; the company says it does not store Twitter account credentials or credit card information. The breach, however, did allow the hackers to post on the feeds of those who previously linked their Twitter accounts to Twitter Counter. A similar incident occurred in November.
One person hit by the spam was security analyst Graham Cluley, who got off a plane to find Nazi spam and Turkish hashtags littering his Twitter feed.
"Some people on Twitter speculated that maybe I had clicked on a dodgy link, or foolishly not followed my own advice to ensure that Login Verifications was enabled on my account," Cluley wrote in a blog post. "But no, I hadn't clicked on any dodgy links (I'd been up in a plane with no data!), and of course I protect every online account I can with two-factor authentication or two-step verification."
Instead, "I gave Twitter Counter access to my account in October 2014, and that clearly was a decision I now regret," he wrote.
"Twitter Counter requests read *and* write access to your Twitter account, in order to do its jiggery pokery counting your Twitter followers," he continued. "Why it would need write access, unless it is planning its own self-promotion, I can't say."
As NBC notes, the breach also hit BBC North America, the World Meteorological Organization, Blockchain, tennis star Boris Becker, the Atlanta Police Department, and Justin Bieber's Japanese account.
The tweets appear to support Turkish President Recep Tayyip Erdogan, who is currently locked in a battle with the Dutch government, NBC says. Erdogan recently called the Dutch government "Nazi remnants and fascists" after it blocked a Turkish minister's visit to the country's consulate in Rotterdam.
Twitter is pointing people to its support website, which recommends that people "be cautious before giving third-party applications access to your account [and] review third-party applications that have access to your account from time to time."
To revoke access to an app, sign into your account on Twitter.com, click your profile photo on the top right and select Settings & privacy > Apps. There you can see all the apps that are linked to your account; click to remove those you no longer use or want.