Slashdot Mirror

← Back to Stories (view on slashdot.org)

Russian Hacker Selling Information of 32 Million Twitter Accounts, Report Says (zdnet.com)

Posted by BeauHD on from the time-to-change-your-password dept.

An anonymous reader writes: The hacker who has links to the recent Myspace, LinkedIn, and Tumblr data breaches, is claiming to have obtained a database of millions of Twitter accounts. The data reportedly includes addresses, usernames, and plain-text passwords of 379 million Twitter accounts. The hacker, Tessa88, wants 10 bitcoins, or about $5,820 for the cache. On Wednesday, LeakedSource claimed that the real number of accounts was just under 33 million, which is more than 10 percent of Twitter's monthly active accounts. This follows the hacking of Mark Zuckerberg's Twitter and Pinterest accounts.

54 comments

  1. In Soviet Russia by Anonymous Coward · · Score: 0

    You own social network. Again.

  2. again...? by Anonymous Coward · · Score: 0

    need to make this site a weekly visit:
    https://haveibeenpwned.com/

    1. Re:again...? by djsmiley · · Score: 2

      Or just setup the automated emails...

      --
      - http://www.milkme.co.uk
  3. Why do Slashdot users continually defend hackers? by Anonymous Coward · · Score: 0, Troll

    There are virtually no posts criticizing the hacker, despite his harmful and despicable actions. Posts suggesting he should he and similar hackers punished severely are promptly modded to -1. It's as if Slashdot users approve and encourage this type of behavior. Why?

  4. Re:Shameful moderation by Anonymous Coward · · Score: 1

    You have to be a real asshole and psychopath to think that selling hacked accounts should get someone killed, but calling for the murder of a person should not get your comment modded down.

  5. Is there any way to check if your own email... by Anonymous Coward · · Score: 1

    ...is on the list?

    Or more generally, is there a reputable website that provides this service already?

    1. Re: Is there any way to check if your own email... by Anonymous Coward · · Score: 4, Informative

      There's no way to check if your account is on the Twitter account list. That would require knowing the list, which the hacker is selling.
      In general, you should visit https://haveibeenpwned.com/ on occasion to see if your account data was breached.
      Best practice is to have different passwords everywhere, so hackers can't use stolen passwords from one site to login to another site. This is one of the reasons selling accounts is profitable.

    2. Re: Is there any way to check if your own email... by Anonymous Coward · · Score: 0

      Equally, a greater idea for your E-MAIL address and user-names is not to use easily searched names.
      Deliberately use something weird, and preferably begins with a letter mid-to-late-mid letters. So, say, O-U range.
      This lowers the chance of someone randomly picking an account because they will prefer either the very bottom, middle, or top ranges, skipping the other ranges entirely.
      And the inability to easily search your account because it looks like garbled mess will make people think it is just some throw-away e-mail for spamming, trolling, etc.

      There will be millions of accounts and probably thousands for each possible character.
      So even if a hacker brute-forces all these accounts the instant they get them, it will take a while until they get to your account, giving you some chance to change it if notified early enough.
      The gibberish-looking names will probably even be skipped entirely.
      Remember, a lot of the people buying these accounts tend to be MASSIVE skids, they will be using publicly known search algos to find information on brute-forced scans of accounts, rather than searching them all one-by-one.
      If you MUST have information on your accounts, mask the fuck out of them, misspell, just don't do silly letter->number exchanges since they are well-known.
      Even go full-abstract and use metaphors.

      However, even if all that is done, they can still fuck you over regardless.
      Always use 2FA login if available.
      Use obscure password resets, not literal direct answers to the silly questions they ask.
      My first dog? "He was a fat bastard that liked licking his balls and dragged them across the floor to get off."

  6. My opening bid: $0.32 by xxxJonBoyxxx · · Score: 1

    >> 32 million Twitter accounts

    OK, let me make the opening bid. I'll give you $0.32 for all of 'em, since about 70% are probably dormant, another 20% are hooked up to broadcast services, 9% are chatbots, and the rest are probably morons for using easily-guessable passwords or falling victim to "data entry" phishing attacks.

    1. Re:My opening bid: $0.32 by FudRucker · · Score: 1

      you forgot to include spammers that only post links to clickbait and crappy books and music for sale

      --
      Politics is Treachery, Religion is Brainwashing
    2. Re:My opening bid: $0.32 by ClickOnThis · · Score: 1

      It's a deal. I can give you 120,000 of them.

      Ready for it? The most common password was "123456".

      That will be $38,400 please.

      --
      If it weren't for deadlines, nothing would be late.
    3. Re:My opening bid: $0.32 by Anonymous Coward · · Score: 0

      That's amazing, I have the same combination on my luggage!

  7. Bcoz we are by Anonymous Coward · · Score: 0

    Without us there'd be no interweb

  8. This could be a scam by tangent3 · · Score: 3, Interesting

    Someone claims this is a scam - the accounts were actually sourced from tumblr and linkedin leaks
    https://jesterscourt.cc/member...

    1. Re:This could be a scam by djsmiley · · Score: 2

      Sourced and then tested... doesn't make it a scam.

      --
      - http://www.milkme.co.uk
  9. Should we dump our old account and set up new one? by Anonymous Coward · · Score: 0

    Since the possibility of old account might have been hacked, should we dump our old accounts and set up new ones?

    Any suggestion from the experts?

  10. Re: Shameful moderation by Anonymous Coward · · Score: 0, Troll

    Why shouldn't compromising millions of people be a capital offense? The death penalty is not murder. By definition, murder is illegal. The death penalty is not illegal, therefore it is not murder.

  11. Re:Why do Slashdot users continually defend hacker by Anonymous Coward · · Score: 0, Interesting

    I see exactly what you're doing, and it's quite obvious.

    In the space of an hour (at 3 in the morning Slashdot time mind you), eight posts by ACs were made which were all off-topic shitposts, and the SOLE comment (rather than the alleged plural; "posts") claiming he should be punished was saying he should be executed. Hacking a social media account is not and never will be worthy of the death penalty or even a ruler across the knuckles. After all those posts, you MAGICALLY come along and start pointing and saying "Look! Slashdot defends hackers!"

    I would not be surprised in the least if you made those comments yourself, knowing they would get downmodded for being irrelevant and childish, just so you could scream from the rooftops about how slashdot "defends hackers".

  12. Re:Should we dump our old account and set up new o by Anonymous Coward · · Score: 3, Informative

    Yes to 1, no to 2.

  13. Re: Why do Slashdot users continually defend hacke by Anonymous Coward · · Score: 0, Troll

    Actually, no, this is a trend in many of the articles about data breaches, not just this one. The problem is that many of the discussions revolve around criticizing victims of the attacks and a general lack of security. If this is, indeed, a list of email addresses and passwords derived from other breaches and tested against Twitter, there is no wrongdoing by Twitter. Many users are ignorant about security and shaming victims is uncalled for. Therefore the finger points squarely at the criminals carrying out the attacks. This is a crime of massive scope, which is why I believe extreme penalties are justified. I also feel it calls into question the ethics of many people here who seem to hold views such as that piracy isn't wrong and don't seem too bothered by hackers causing massive data breaches. Honestly, I'm calling into question what I see as questionable ethics of many on this site, and that's the intent if my post. As for your conspiracy theory about the posts on this page, you're wrong and can go shove it.

  14. Re:Why do Slashdot users continually defend hacker by Anonymous Coward · · Score: 0

    Nah. Just watch the comments of any story like this on Slashdot. Most people here don't think that black hats like this deserve any type of punishment.

  15. Re: Why do Slashdot users continually defend hacke by Anonymous Coward · · Score: 0

    One other thing... this isn't hacking a social media account. This is profiting from compromising the accounts of millions of people. Nice straw man, though.

  16. Don't trust leakedsource.com by Artem+S.+Tashkinov · · Score: 1

    I paid those fuckers for access, never got one - all searches still return bare numbers without any data - "subscribe to see raw data".

    My five (!) support requests remain unanswered (I sent the first one over four days ago).

    It looks like they indeed have the leaked data, but they are not willing to share it with anyone.

    1. Re:Don't trust leakedsource.com by Anonymous Coward · · Score: 0

      They look like a bunch of twats. No fee to use haveibeenpwned!

  17. Good thing... by Bruinwar · · Score: 1

    It's a good thing I don't have Myspace, LinkedIn, and Tumblr accounts. Twitter? I think I got two of them I started a years ago. At the time I'm sure I had a reason. I get messages on two different email accounts from Twitter, so I figure I have the accounts.

    Maybe I can go cancel them (if it's possible). I see no need for them whatsoever. Or am I missing something?

    --
    SLOWER TRAFFIC KEEP RIGHT
    1. Re:Good thing... by Bruinwar · · Score: 1

      OK so I didn't cancel them, but I did change the passwords. I might want one of both of those accounts some day. Not that it would really matter if they were hacked. There is nothing in my profile, not even my name, so what's the worst that can happen?

      --
      SLOWER TRAFFIC KEEP RIGHT
  18. Wrong attribution by softnewsit · · Score: 3, Informative

    Tessa88 was the benefactor that gave the data to LeakedSource. He's not the hacker. Way to go ZDNet. You just blamed an innocent person. https://www.leakedsource.com/b...

    --
    Go away!
  19. Re: Why do Slashdot users continually defend hacke by Anonymous Coward · · Score: 0

    Simple; if you have a security hole, it will be abused.

    Although it is not ethical, it is also not ethical for companies of that size to think about security last.

  20. This isn't just Twitter by Simon+Brooke · · Score: 2

    If it's true that the passwords have been harvested by malware which uploads the victim's browser's password cache, then this is not just Twitter. It's every site you use. The lesson, if you create websites which require authentication, outsource the authentication function to OpenID providers who have three factor authentication (e.g. Google) - or implement three factor authentication infrastructure yourself, which is not trivial.

    --
    I'm old enough to remember when discussions on Slashdot were well informed.
    1. Re:This isn't just Twitter by geekmux · · Score: 1

      If it's true that the passwords have been harvested by malware which uploads the victim's browser's password cache, then this is not just Twitter. It's every site you use. The lesson, if you create websites which require authentication, outsource the authentication function to OpenID providers who have three factor authentication (e.g. Google) - or implement three factor authentication infrastructure yourself, which is not trivial.

      Common Sense security mechanisms are trivial.

      Getting the average user or even service provider to adopt it as a matter of default is another matter entirely.

      We'll need the masses to have their identities stolen and force them to spend money on recovering their lives, reputations, and credit ratings before any real adoption is going to take place. Needless to say, the average ignorant user is gonna have to learn the hard way.

      It's like dealing with a fucking teenager. They always know better, right up to the point they're proven wrong. The hard way.

    2. Re: This isn't just Twitter by Anonymous Coward · · Score: 0

      I no longer browse the web on Windows machines. I use a mobile device without malware or Linux.

    3. Re: This isn't just Twitter by Anonymous Coward · · Score: 0

      so you're saying you only use iPhones?
      though it's a bit rich saying every Android phone has malware

      English, it's not just for Christmas

  21. Re: Shameful moderation by Anonymous Coward · · Score: 0

    The death penalty is not murder. By definition, murder is illegal. The death penalty is not illegal, therefore it is not murder.

    Hello! We don't often see this level of "logic" on /. Welcome AC/Beck/Limburg/...

  22. Re:Why do Slashdot users continually defend hacker by Anonymous Coward · · Score: 0

    And grass is green. Maybe it is too obvious.

  23. Re:People who do this should be killed by ShanghaiBill · · Score: 2

    Seriously, find out who this guy is, arrest him, destroy his data, and execute him.

    I assume you mean the idiot at Twitter who thought it was acceptable to store plain text passwords in a database. A server should never even see a plain text password. Passwords should be salted and encrypted in the browser, using SHA-256 or stronger, before being transmitted to the server.

  24. Re:Why do Slashdot users continually defend hacker by ShanghaiBill · · Score: 3, Insightful

    It's as if Slashdot users approve and encourage this type of behavior. Why?

    Because the solution to the problem is better security, not more ethical hackers. Hackers will hack, regardless of the severity of the punishment. How many hackers do you think will be dissuaded by stern disapproval from Slashdot?

  25. not to worry... it's only by Anonymous Coward · · Score: 0

    of the 32,888,300 accounts, you will find four regular real user accounts and 32,888,296 bot accounts.

  26. Re:Why do Slashdot users continually defend hacker by Yvan256 · · Score: 1

    I think most people here do not agree with the hacker's actions, however most of us probably think that people should stop voluntarily putting all their informations and their lives into public social networks. Yes the hacker is to blame, but all the users can be blamed too.

  27. Re: People who do this should be killed by Anonymous Coward · · Score: 0

    What makes you think it was someone at Twitter? This could easily be a db from a third party dev from before oauth.

  28. Re:Why do Slashdot users continually defend hacker by Cid+Highwind · · Score: 1

    Most of us have come to accept that black hats will never be punished, because on the internet it's very easy to involve multiple unfriendly countries in a crime, and when you put American and Russian agents on the same case it's very hard to get them to stop playing "my country has the biggest dick therefore I'm in charge" and start cooperating to catch the black hat. There's a subtle difference.

    --
    0 1 - just my two bits
  29. Maybe he will sell me my Twitter Password by Anonymous Coward · · Score: 0

    I lost my twitter password 5 years ago and changed emails and twitter will not reset it for me.. maybe the russian dude can let me know what my password is..

  30. Where is it? by Anonymous Coward · · Score: 0

    Where's the list? I need to get into my Twitter account...

  31. Re: Shameful moderation by Anonymous Coward · · Score: 0

    Because there should be no capital offenses, big man. Even more so for hacking cases where it's particularly easy to frame someone.

  32. Re: Shameful moderation by Anonymous Coward · · Score: 0

    the Death Penalty is illegal in the civilised world, therefore it's murder there

    PS millions of people were not compromised

    millions of peoples social media accounts were compromised

    those are different and not equal things

  33. Re:Why do Slashdot users continually defend hacker by Anonymous Coward · · Score: 0

    I think most people here do not agree with the hacker's actions, however most of us probably think that people should stop voluntarily putting all their informations and their lives into public social networks. Yes the hacker is to blame, but all the users should be blamed too.

    FTFY

    If you do something stupid, even if someone else does something wrong, you still bear part of the responsibility