Slashdot Mirror
55,000 Twitter Accounts Hacked, Passwords Leaked
MojoKid writes "Tens of thousands of Twitter accounts have been compromised in a recent hack attack in which more than 55,000 passwords were leaked and posted to Pastebin by anonymous hackers. Most of the accounts supposedly belonged to spammers, and there were many duplicate entries, Twitter officials pointed out. However, to play it safe, you should probably change your Twitter password ASAP."
Nah, they just tried "12345" on all the accounts.
I think they saw it in a movie once.
How many people use the same password on several services?
From CNet's article:
After Lamo and others found that at least some of the alleged account data had been posted on the Web last year and speculated that the list appeared to be compiled from various sources, including spam accounts, Twitter provided CNET this statement when asked for comment: "We've looked into this and can confirm that Twitter was not compromised. For extra precaution, yesterday, we pushed out password resets to accounts that may have been affected."
There is no evidence Twitter themselves were "hacked".
This is likely the password file from a spambot c&c network.
All* the twitter accounts shown follow the same naming and password rules. This is not typical of how a random selection of users would set up their account.
In addition all/most of these accounts are or were suspended (typically this is for spam).
* I may have missed one, but given several others point out the same...
Ref: Reddit: 55.000+ Twitter usernames and passwords leaked
I certainly am surprised. I thought they had more than 55,000 users. Maybe there are only 55,000 unique passwords amongst their users?
A huge number of the account names and passwords look clearly auto-generated. I would guess it's not a "real" leak of actual users' data, but a compromise of some spammer's twitter-bot farm.
I mean, this is not what a leak of regular Twitter-user u/p would look like:
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Maybe it's just a coincidence but I checked my twitter account and couldn't log in, had to reset my password. Damn now I need to find a password other than 12345, BTW could you pass the Peri-Air?
The Lunatick, Carpe Corpus!
Well managed sites do not store your password. They store an encryption HASH of your password. When you type in your password, they use the same routine to HASH what you type in and compare the hashes. You cannot go backward from a hash to a password (well, not a modern hash, and not with a password that isn't a simple common word). There is no excuse for a web site to actually have a stored copy of your actual password anywhere in their systems.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
Good thing these passwords weren't obtained by attacking Twitter's servers directly then.
Not to be a curmudgeon, but does twitter really contribute anything to the world?
Where else ya gonna go to get your password hacked?
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Try as hard as I can, still don't care about twits and their tweets.
Oh dear, is this the same Adrian Lamo who turned in Bradley Manning over the Wikileaks incident?
http://www.wired.com/threatlevel/2011/07/manning-lamo-logs/
I don't know why anyone would ever talk to this guy again for the rest of his life.
This post expresses my opinion, not that of my employer. And yes, IAAL.
Seems to me it's more likely that somebody now owns the Twitter password server and is now trying to get everyone to change their password so he'll have all the twitter user passwords.
Hello, FBI, is that you??
Salted and hashed. Without salt you can use rainbow tables to reverse the hash. But you're right, they shouldn't be storing it anywhere or using reversible encryption.
Oh dear, is this the same Adrian Lamo who turned in Bradley Manning over the Wikileaks incident?
http://www.wired.com/threatlevel/2011/07/manning-lamo-logs/
I don't know why anyone would ever talk to this guy again for the rest of his life.
I'd talk to him. He reported an Intelligence officer with access to sensitive information who was planning on leaking it because he was pissed off about the military's policy towards homosexuals. If you bother to read the conversations it's pretty fucking obvious that Manning had an axe to grind, went into the systems and dug up any and all information he thought might make the military look bad, and then leaked it. After the fact, he tried to claim that he was "blowing the whistle" on supposed war crimes which he never provided evidence to support.
If I was Lamo I'd have done the same thing. Manning was using him, he lied to him about his motivations in order to get assistance in leaking the material. Had I been told that there was War Crime evidence, I'd have been more than happy to help with a leak, but upon discovering that I was being sucked into some kind of personal vendetta against "the man" I'd also have gone to the authorities with the info.
Note that I am not defending the military's policy towards gays here, I think it's stupid. But it's not like it was some kind of secret when Manning signed up, either, and it's certainly not justification to sell out your countrymen who have little or no ability to influence or change such policies.
If only the world was so simple. Passwords sometimes need to be stored un-hashed. For example, your ISP may have your password unhashed or stored in a reversable encryption to facilitate secureish un-encrypted authentication such as CHAP.
And even if said well managed site stores salted hashes, it is often trivial for someone with access to a compromised server to log the username/password pairs before the salted hash is compared... and sure the client can send a salted hash which is salted based off a challenge - and then hashed and compared against a different hash but thats a little redonkeylous and even then an attacker who has access to the code could still make the clients send only hashes which are based off of a salt that they have rainbow tables for - or just fix it.
The golden rule of life is simple:
Don't believe any information/procedure you create/disclose/share will be used for the purpose you originally created/disclosed/shared it... and when that sinks in you will either be parinoid or indifferent.
120 characters ought to be enough for anyone