Slashdot Mirror
55,000 Twitter Accounts Hacked, Passwords Leaked
MojoKid writes "Tens of thousands of Twitter accounts have been compromised in a recent hack attack in which more than 55,000 passwords were leaked and posted to Pastebin by anonymous hackers. Most of the accounts supposedly belonged to spammers, and there were many duplicate entries, Twitter officials pointed out. However, to play it safe, you should probably change your Twitter password ASAP."
Nah, they just tried "12345" on all the accounts.
I think they saw it in a movie once.
Me too, but being able to read the article would help :-/
How many people use the same password on several services?
This'll teach you to disobey a direct order from the police. Get down on the ground.
From CNet's article:
After Lamo and others found that at least some of the alleged account data had been posted on the Web last year and speculated that the list appeared to be compiled from various sources, including spam accounts, Twitter provided CNET this statement when asked for comment: "We've looked into this and can confirm that Twitter was not compromised. For extra precaution, yesterday, we pushed out password resets to accounts that may have been affected."
There is no evidence Twitter themselves were "hacked".
This is likely the password file from a spambot c&c network.
All* the twitter accounts shown follow the same naming and password rules. This is not typical of how a random selection of users would set up their account.
In addition all/most of these accounts are or were suspended (typically this is for spam).
* I may have missed one, but given several others point out the same...
Ref: Reddit: 55.000+ Twitter usernames and passwords leaked
I certainly am surprised. I thought they had more than 55,000 users. Maybe there are only 55,000 unique passwords amongst their users?
A huge number of the account names and passwords look clearly auto-generated. I would guess it's not a "real" leak of actual users' data, but a compromise of some spammer's twitter-bot farm.
I mean, this is not what a leak of regular Twitter-user u/p would look like:
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Maybe it's just a coincidence but I checked my twitter account and couldn't log in, had to reset my password. Damn now I need to find a password other than 12345, BTW could you pass the Peri-Air?
The Lunatick, Carpe Corpus!
Well managed sites do not store your password. They store an encryption HASH of your password. When you type in your password, they use the same routine to HASH what you type in and compare the hashes. You cannot go backward from a hash to a password (well, not a modern hash, and not with a password that isn't a simple common word). There is no excuse for a web site to actually have a stored copy of your actual password anywhere in their systems.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
Good thing these passwords weren't obtained by attacking Twitter's servers directly then.
Not to be a curmudgeon, but does twitter really contribute anything to the world?
Where else ya gonna go to get your password hacked?
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Try as hard as I can, still don't care about twits and their tweets.
TLDR
Just get it from here:
http://www.airdemon.net/hacker107.html
Oh dear, is this the same Adrian Lamo who turned in Bradley Manning over the Wikileaks incident?
http://www.wired.com/threatlevel/2011/07/manning-lamo-logs/
I don't know why anyone would ever talk to this guy again for the rest of his life.
This post expresses my opinion, not that of my employer. And yes, IAAL.
Seems to me it's more likely that somebody now owns the Twitter password server and is now trying to get everyone to change their password so he'll have all the twitter user passwords.
Hello, FBI, is that you??
"Fight us over our subpoenas? Fine, you have 'Chinese' hackers eating you now."
I am John Hurt.
Those are the people without tin-foil hats. ;-)
But honestly, if you think someone is watching you, someone probably is.
I am John Hurt.
Yes, you should change your password. 55k passwords posted, unknown amount compromised but unposted until (if) they figure out where they came from.
Or at least not directly hacked from Twitter.
If you look at the logins there is a mix of usernames and email addresses. Since Twitter lets you login using either your twitter handle or email address, it looks as if these were somehow keylogged or otherwise hijacked, as opposed to Twitter being hacked.
Salted and hashed. Without salt you can use rainbow tables to reverse the hash. But you're right, they shouldn't be storing it anywhere or using reversible encryption.
Oh dear, is this the same Adrian Lamo who turned in Bradley Manning over the Wikileaks incident?
http://www.wired.com/threatlevel/2011/07/manning-lamo-logs/
I don't know why anyone would ever talk to this guy again for the rest of his life.
I'd talk to him. He reported an Intelligence officer with access to sensitive information who was planning on leaking it because he was pissed off about the military's policy towards homosexuals. If you bother to read the conversations it's pretty fucking obvious that Manning had an axe to grind, went into the systems and dug up any and all information he thought might make the military look bad, and then leaked it. After the fact, he tried to claim that he was "blowing the whistle" on supposed war crimes which he never provided evidence to support.
If I was Lamo I'd have done the same thing. Manning was using him, he lied to him about his motivations in order to get assistance in leaking the material. Had I been told that there was War Crime evidence, I'd have been more than happy to help with a leak, but upon discovering that I was being sucked into some kind of personal vendetta against "the man" I'd also have gone to the authorities with the info.
Note that I am not defending the military's policy towards gays here, I think it's stupid. But it's not like it was some kind of secret when Manning signed up, either, and it's certainly not justification to sell out your countrymen who have little or no ability to influence or change such policies.
I wish i had some mod points for you
If only the world was so simple. Passwords sometimes need to be stored un-hashed. For example, your ISP may have your password unhashed or stored in a reversable encryption to facilitate secureish un-encrypted authentication such as CHAP.
And even if said well managed site stores salted hashes, it is often trivial for someone with access to a compromised server to log the username/password pairs before the salted hash is compared... and sure the client can send a salted hash which is salted based off a challenge - and then hashed and compared against a different hash but thats a little redonkeylous and even then an attacker who has access to the code could still make the clients send only hashes which are based off of a salt that they have rainbow tables for - or just fix it.
The golden rule of life is simple:
Don't believe any information/procedure you create/disclose/share will be used for the purpose you originally created/disclosed/shared it... and when that sinks in you will either be parinoid or indifferent.
120 characters ought to be enough for anyone
Wouldn't it be simpler to just post a story on the days when skateboardface & his lackeys don't fuck something up?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Absolutely. Sure, if you want to follow a random selection of users then you're just going to get lots of updates on what people are having for lunch, but the trick is to follow people you find interesting. I mostly follow people involved in physics, maths, science writing and a few other topics I'm interested in. It's essentially a news feed if you get it right, I first heard about CERN's "super-luminal neutrinos" through Twitter.
Yes, there's a lot of noise (just try reading the "raw" feed if you want to feel depressed about humanity), but the whole point of the thing is to find your own signal, and Twitter makes it very easy to get a good signal/noise ratio.
If you want something "useful to the species", people have set up programs which scan Twitter for "earthquake" and a place name or geolocation tag and can then give early warning before the waves hit (internet traffic is faster than seismic waves).
Please consider this account deleted, I just can't be bothered with the spam anymore.
It's a great way to catch breaking news if you don't sit in front of a TV all day. Yesterday would be a prime example, glancing down at my phone on an afternoon smoke break to find out the president had announced his support of same-sex marriage. It was a good hour or so before that had made its way through the major news sources. You can find accounts for everything from local news, to your state-level organizations and agencies, to specific committees in congress or the house.
Whatever else you may think of Lamo one thing is abundantly clear: he's untrustworthy.
If all else fails, immortality can always be assured by spectacular error.
Send your username and password to me and I'll check for you.
If all else fails, immortality can always be assured by spectacular error.
It's good advice (your golden rule). There are only two levels of paranoia, to a computer security person. Absolute, and insufficient.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln