Slashdot Mirror
55,000 Twitter Accounts Hacked, Passwords Leaked
MojoKid writes "Tens of thousands of Twitter accounts have been compromised in a recent hack attack in which more than 55,000 passwords were leaked and posted to Pastebin by anonymous hackers. Most of the accounts supposedly belonged to spammers, and there were many duplicate entries, Twitter officials pointed out. However, to play it safe, you should probably change your Twitter password ASAP."
How did they steal these passwords? For Twitter's sake I hope it was done via keylogger or MITM attack.
How many people use the same password on several services?
This'll teach you to disobey a direct order from the police. Get down on the ground.
>55,000 passwords were leaked
Why am I not surprised?
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
From CNet's article:
After Lamo and others found that at least some of the alleged account data had been posted on the Web last year and speculated that the list appeared to be compiled from various sources, including spam accounts, Twitter provided CNET this statement when asked for comment: "We've looked into this and can confirm that Twitter was not compromised. For extra precaution, yesterday, we pushed out password resets to accounts that may have been affected."
There is no evidence Twitter themselves were "hacked".
This is likely the password file from a spambot c&c network.
All* the twitter accounts shown follow the same naming and password rules. This is not typical of how a random selection of users would set up their account.
In addition all/most of these accounts are or were suspended (typically this is for spam).
* I may have missed one, but given several others point out the same...
Ref: Reddit: 55.000+ Twitter usernames and passwords leaked
A huge number of the account names and passwords look clearly auto-generated. I would guess it's not a "real" leak of actual users' data, but a compromise of some spammer's twitter-bot farm.
I mean, this is not what a leak of regular Twitter-user u/p would look like:
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
need pleople to seed http://thepiratebay.se/torrent/7256774/55000_twitter_accounts_and_passwords so I know if i have to change my password.
So you're saying that the stupid txt broadcast company with the fadish technology and the fail whale... Wait, how is this even news?
Without knowing how they got the usernames/passwords this information is useless.
$20 says these were probably secured via phishing pages.
Considering how many spam DM's i get from the "someone is saying something terrible about you...XXPHISHSITE.com" having 55,000 username/passwords isnt that big a deal.
Now if they hacked twitter server etc then this would be a bigger deal
- http://blog.mytblock.com/2012/05/55000-twitter-usernames-and-passwords.html
Maybe it's just a coincidence but I checked my twitter account and couldn't log in, had to reset my password. Damn now I need to find a password other than 12345, BTW could you pass the Peri-Air?
The Lunatick, Carpe Corpus!
Really the only ones who'd be harmed by this are celebrities (including politicians) who crave followers. And presumably these have staff that will fix the problem for them. I have a bazillion Twitter accounts that I register and discard simply to comment on some idiot's Tweet.
PS. Isn't relative anonymity the main attraction of Twitter versus the privacy murdering social networks like F*c*book and Gee+?
How much time people manage to waste writing and reading messages of 140 characters or less.
Well managed sites do not store your password. They store an encryption HASH of your password. When you type in your password, they use the same routine to HASH what you type in and compare the hashes. You cannot go backward from a hash to a password (well, not a modern hash, and not with a password that isn't a simple common word). There is no excuse for a web site to actually have a stored copy of your actual password anywhere in their systems.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
Good thing these passwords weren't obtained by attacking Twitter's servers directly then.
Not to be a curmudgeon, but does twitter really contribute anything to the world?
Speaking of hacked, I haven't got around to logging in or moderating when I get the chance. Been too busy being bio-hacked/mind controlled. Anyone had their selves or someone else hacked? E.G made to say things, have passwords extracted from their minds? I don't feel like anything is safe anymore with such shenanigans going on.
Try as hard as I can, still don't care about twits and their tweets.
Oh dear, is this the same Adrian Lamo who turned in Bradley Manning over the Wikileaks incident?
http://www.wired.com/threatlevel/2011/07/manning-lamo-logs/
I don't know why anyone would ever talk to this guy again for the rest of his life.
This post expresses my opinion, not that of my employer. And yes, IAAL.
Seems to me it's more likely that somebody now owns the Twitter password server and is now trying to get everyone to change their password so he'll have all the twitter user passwords.
Hello, FBI, is that you??
"Fight us over our subpoenas? Fine, you have 'Chinese' hackers eating you now."
I am John Hurt.
Twitter has been blocking efforts by NY to reveal the twitter feeds of a blogger associated with 'Occupy".
I suspect that NY 'read New York Police' pulled some strings and got FBI to hack Twitter accounts.
The FBI, like other non-elected elements of the US government have no regard for local laws, state
laws, Federal laws, Constitutional laws and not even, heaven forbid, international laws such as the
taudry thing like the 'rights of prisoners of war' and such.
Be that as it may.
Never the less, FBI personnel, like the White House Staff, are touchable and their 'place' can be
found and monitored minute-by-minute with great ease, for those who know.
Therefore, some 'touching' of these 'personnel' need be done and soon and with great 'effect'.
Happy driving home boys and girls; 'snicker snicker'. Oh! careful that door nob!
LoL
Or at least not directly hacked from Twitter.
If you look at the logins there is a mix of usernames and email addresses. Since Twitter lets you login using either your twitter handle or email address, it looks as if these were somehow keylogged or otherwise hijacked, as opposed to Twitter being hacked.
Salted and hashed. Without salt you can use rainbow tables to reverse the hash. But you're right, they shouldn't be storing it anywhere or using reversible encryption.
The Commandars of the submarines of the Stratigic Nuclear Submarine Fleet still retain the perogative to launch on warning.
The target or targets, up to them.
Assumptiond regarding the location of target or targets should not be presumed.
The target and targets can be withing United States of America borders!
The prime target can be a location within the White House.
USA Air Force Dept. installations and assests can be targeted as well, as be needed.
Although, evaporating one human being within the White House, when evaporating upwards
of 1 to 2 million USA citizens in the northern Virginia, Washington DC, Maryland area may
seem, excessive, given circumstances, may be necessary.
LoL
Oh dear, is this the same Adrian Lamo who turned in Bradley Manning over the Wikileaks incident?
http://www.wired.com/threatlevel/2011/07/manning-lamo-logs/
I don't know why anyone would ever talk to this guy again for the rest of his life.
I'd talk to him. He reported an Intelligence officer with access to sensitive information who was planning on leaking it because he was pissed off about the military's policy towards homosexuals. If you bother to read the conversations it's pretty fucking obvious that Manning had an axe to grind, went into the systems and dug up any and all information he thought might make the military look bad, and then leaked it. After the fact, he tried to claim that he was "blowing the whistle" on supposed war crimes which he never provided evidence to support.
If I was Lamo I'd have done the same thing. Manning was using him, he lied to him about his motivations in order to get assistance in leaking the material. Had I been told that there was War Crime evidence, I'd have been more than happy to help with a leak, but upon discovering that I was being sucked into some kind of personal vendetta against "the man" I'd also have gone to the authorities with the info.
Note that I am not defending the military's policy towards gays here, I think it's stupid. But it's not like it was some kind of secret when Manning signed up, either, and it's certainly not justification to sell out your countrymen who have little or no ability to influence or change such policies.
I wish i had some mod points for you
If only the world was so simple. Passwords sometimes need to be stored un-hashed. For example, your ISP may have your password unhashed or stored in a reversable encryption to facilitate secureish un-encrypted authentication such as CHAP.
And even if said well managed site stores salted hashes, it is often trivial for someone with access to a compromised server to log the username/password pairs before the salted hash is compared... and sure the client can send a salted hash which is salted based off a challenge - and then hashed and compared against a different hash but thats a little redonkeylous and even then an attacker who has access to the code could still make the clients send only hashes which are based off of a salt that they have rainbow tables for - or just fix it.
The golden rule of life is simple:
Don't believe any information/procedure you create/disclose/share will be used for the purpose you originally created/disclosed/shared it... and when that sinks in you will either be parinoid or indifferent.
120 characters ought to be enough for anyone
After reading about the leak yesterday I quickly put together a little search tool that lets you search for your username to check whether your account is compromised. I know, probably most accounts should belong to spammers but just to be sure, you can check here: http://twitterleak.martinwittmann.at/
Hope that helps some of you, Martin
Wouldn't it be simpler to just post a story on the days when skateboardface & his lackeys don't fuck something up?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
So it's true: persons like you REALLY exist.
Man, that is so........ Sad.
Oh, the irony. He's being objective, impartial and informed, while you're spouting this empty teenage rebellion rhetoric.
you will learn so much things...
Please finish high school English before getting on your political soapbox, you'll learn so many things...
Whatever else you may think of Lamo one thing is abundantly clear: he's untrustworthy.
If all else fails, immortality can always be assured by spectacular error.
I'm not saying that in this particular case the goal was some kind of chaos or bragging : for all we know maybe they hacked *ALL* the Twitter accounts/passwords and are asking for a ransom but...
This whole "I cracked a shitload of accounts/passwords and I'm pasting them to pastebin" happens quite often.
So let me ask to all the knee-jerkers here that constantly, everytime the security issue comes up, say that dark side hackers/pirates are only doing it "for the munnies" / "for the russian mob" / or other bullsh*t, what do you think is the probability that some pirates do only pirate for the lulz?
Just to brag, just to prove they're good. Just because they *can* do it?
I think that the probability that some of the pirates out there are *not* motivated by money is 100%.
So now I'd like all these knee-jerkes to sh*t the f*ck up everytime a security issue comes up. No, all pirates out there are not slaves working for some mafia. Some will pirate you even if there's *zero* money to be made.
Phished. Big difference.
It's good advice (your golden rule). There are only two levels of paranoia, to a computer security person. Absolute, and insufficient.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln