Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

55,000 Twitter Accounts Hacked, Passwords Leaked

samzenpus posted more than 2 years ago | from the protect-ya-neck dept.

Social Networks 66

MojoKid writes "Tens of thousands of Twitter accounts have been compromised in a recent hack attack in which more than 55,000 passwords were leaked and posted to Pastebin by anonymous hackers. Most of the accounts supposedly belonged to spammers, and there were many duplicate entries, Twitter officials pointed out. However, to play it safe, you should probably change your Twitter password ASAP."

cancel ×

66 comments

Sorry! There are no comments related to the filter you selected.

Bad Systems Design? (0)

Anonymous Coward | more than 2 years ago | (#39948715)

How did they steal these passwords? For Twitter's sake I hope it was done via keylogger or MITM attack.

Re:Bad Systems Design? (4, Funny)

jhoegl (638955) | more than 2 years ago | (#39948731)

Nah, they just tried "12345" on all the accounts.
I think they saw it in a movie once.

Re:Bad Systems Design? (0)

Eponymous Hero (2090636) | more than 2 years ago | (#39948929)

i got into a broken atm's maintenance area using 000000, the old BREW default

Re:Bad Systems Design? (1)

Antarell (930241) | more than 2 years ago | (#39948733)

Me too, but being able to read the article would help :-/

Re:Bad Systems Design? (0)

Anonymous Coward | more than 2 years ago | (#39960839)

lol, twitter

Not just Twitter (4, Insightful)

Anonymous Coward | more than 2 years ago | (#39948759)

How many people use the same password on several services?

Welp (1)

deathtopaulw (1032050) | more than 2 years ago | (#39948761)

This'll teach you to disobey a direct order from the police. Get down on the ground.

Why am I not surprised? (0)

TechyImmigrant (175943) | more than 2 years ago | (#39948771)

>55,000 passwords were leaked

Why am I not surprised?

Re:Why am I not surprised? (2, Funny)

Anonymous Coward | more than 2 years ago | (#39948807)

I certainly am surprised. I thought they had more than 55,000 users. Maybe there are only 55,000 unique passwords amongst their users?

Update: No recent hack, just repackaged old data (5, Informative)

Kelson (129150) | more than 2 years ago | (#39948773)

From CNet's article [cnet.com] :

After Lamo and others found that at least some of the alleged account data had been posted on the Web last year and speculated that the list appeared to be compiled from various sources, including spam accounts, Twitter provided CNET this statement when asked for comment: "We've looked into this and can confirm that Twitter was not compromised. For extra precaution, yesterday, we pushed out password resets to accounts that may have been affected."

Re:Update: No recent hack, just repackaged old dat (0)

Anonymous Coward | more than 2 years ago | (#39948953)

Without knowing how they got the usernames/passwords this information is useless.
$20 says these were probably secured via phishing pages.

Considering how many spam DM's i get from the "someone is saying something terrible about you...XXPHISHSITE.com" having 55,000 username/passwords isnt that big a deal.

Now if they hacked twitter server etc then this would be a bigger deal

- http://blog.mytblock.com/2012/05/55000-twitter-usernames-and-passwords.html

Re:Update: No recent hack, just repackaged old dat (3, Interesting)

deblau (68023) | more than 2 years ago | (#39949957)

Oh dear, is this the same Adrian Lamo who turned in Bradley Manning over the Wikileaks incident?

http://www.wired.com/threatlevel/2011/07/manning-lamo-logs/ [wired.com]

I don't know why anyone would ever talk to this guy again for the rest of his life.

Re:Update: No recent hack, just repackaged old dat (2, Insightful)

Anonymous Coward | more than 2 years ago | (#39950917)

Oh dear, is this the same Adrian Lamo who turned in Bradley Manning over the Wikileaks incident?

http://www.wired.com/threatlevel/2011/07/manning-lamo-logs/ [wired.com]

I don't know why anyone would ever talk to this guy again for the rest of his life.

I'd talk to him. He reported an Intelligence officer with access to sensitive information who was planning on leaking it because he was pissed off about the military's policy towards homosexuals. If you bother to read the conversations it's pretty fucking obvious that Manning had an axe to grind, went into the systems and dug up any and all information he thought might make the military look bad, and then leaked it. After the fact, he tried to claim that he was "blowing the whistle" on supposed war crimes which he never provided evidence to support.

If I was Lamo I'd have done the same thing. Manning was using him, he lied to him about his motivations in order to get assistance in leaking the material. Had I been told that there was War Crime evidence, I'd have been more than happy to help with a leak, but upon discovering that I was being sucked into some kind of personal vendetta against "the man" I'd also have gone to the authorities with the info.

Note that I am not defending the military's policy towards gays here, I think it's stupid. But it's not like it was some kind of secret when Manning signed up, either, and it's certainly not justification to sell out your countrymen who have little or no ability to influence or change such policies.

Re:Update: No recent hack, just repackaged old dat (-1)

Anonymous Coward | more than 2 years ago | (#39951149)

So it's true: persons like you REALLY exist.

Man, that is so........ Sad.

Travel, meet people, and don't trust your government, you will learn so much things...

Re:Update: No recent hack, just repackaged old dat (0)

Anonymous Coward | more than 2 years ago | (#39952827)

So it's true: persons like you REALLY exist.

Man, that is so........ Sad.

Oh, the irony. He's being objective, impartial and informed, while you're spouting this empty teenage rebellion rhetoric.

you will learn so much things...

Please finish high school English before getting on your political soapbox, you'll learn so many things...

Re:Update: No recent hack, just repackaged old dat (1)

CharlyFoxtrot (1607527) | more than 2 years ago | (#39954101)

Whatever else you may think of Lamo one thing is abundantly clear: he's untrustworthy.

As pointed out in several other places... (5, Informative)

spec8472 (241410) | more than 2 years ago | (#39948789)

There is no evidence Twitter themselves were "hacked".
This is likely the password file from a spambot c&c network.

All* the twitter accounts shown follow the same naming and password rules. This is not typical of how a random selection of users would set up their account.
In addition all/most of these accounts are or were suspended (typically this is for spam).

* I may have missed one, but given several others point out the same...

Ref: Reddit: 55.000+ Twitter usernames and passwords leaked [reddit.com]

Re:As pointed out in several other places... (1)

DarwinSurvivor (1752106) | more than 2 years ago | (#39949587)

Unless they're hashes of some kind (though they don't appear to be md5, sha, etc). Either way, the usernames themselves look like bot names.

Re:As pointed out in several other places... (1)

WuphonsReach (684551) | more than 2 years ago | (#39954533)

This is likely the password file from a spambot c&c network.

You're reaching. A lot of the accounts/passwords are things like:

andre@someplace.com:andre
somebraindeaduser@somewhere:123456789

Once you get past the spam accounts, there's a lot of what looks like valid user accounts with weak passwords.

Ok password is comming out now. (-1)

Anonymous Coward | more than 2 years ago | (#39948825)

I don't have a twitter account. And don't want one.

looks like pretty low-value accounts (4, Informative)

Trepidity (597) | more than 2 years ago | (#39948873)

A huge number of the account names and passwords look clearly auto-generated. I would guess it's not a "real" leak of actual users' data, but a compromise of some spammer's twitter-bot farm.

I mean, this is not what a leak of regular Twitter-user u/p would look like:

Idellcfipt:E7QkDx28
Yiqafky:A417tSFv
Mi_deq:15j6onel

Re:looks like pretty low-value accounts (0)

Anonymous Coward | more than 2 years ago | (#39948963)

Crikes! That second one was mine!
-Yiq

Re:looks like pretty low-value accounts (5, Funny)

Fwipp (1473271) | more than 2 years ago | (#39949019)

I agree, clearly not real people. Those passwords are way too strong.

Re:looks like pretty low-value accounts (1)

Anonymous Coward | more than 2 years ago | (#39951465)

Have some strength measure here: http://xkcd.com/936/ [xkcd.com] Seriously? :P

Re:looks like pretty low-value accounts (1)

Antony-Kyre (807195) | more than 2 years ago | (#39953965)

Well, looks like people have a list of 55,000 strong passwords to choose from now.

People who have memorization issues should start with perhaps a weaker password, then make it longer over time. I don't think password aging is a good idea as people will just choose weak passwords slightly modifying them each time.

A six digit, easy-to-read captcha seems like it should be easy for spammers to crack. Maybe twitter should require account verification using a mobile phone number? With no more than one account created per phone number per week.

Re:looks like pretty low-value accounts (5, Informative)

NoEvidenZ (807374) | more than 2 years ago | (#39949043)

That's absolutely what I thought.

The list starts off strong with roughly 5000 script generated accounts. The usernames and passwords are just too obviously random to be real.

It looks like it then goes on to some phished accounts.

Also looks like a large amount are duplicates.

seeds please (0)

Anonymous Coward | more than 2 years ago | (#39948933)

need pleople to seed http://thepiratebay.se/torrent/7256774/55000_twitter_accounts_and_passwords so I know if i have to change my password.

Re:seeds please (1)

wo1verin3 (473094) | more than 2 years ago | (#39950359)

Yes, you should change your password. 55k passwords posted, unknown amount compromised but unposted until (if) they figure out where they came from.

Re:seeds please (1)

CharlyFoxtrot (1607527) | more than 2 years ago | (#39954153)

Send your username and password to me and I'll check for you.

Wait. (0, Offtopic)

DoninIN (115418) | more than 2 years ago | (#39948947)

So you're saying that the stupid txt broadcast company with the fadish technology and the fail whale... Wait, how is this even news?

Think I was hit (2)

lunatick (32698) | more than 2 years ago | (#39949011)

Maybe it's just a coincidence but I checked my twitter account and couldn't log in, had to reset my password. Damn now I need to find a password other than 12345, BTW could you pass the Peri-Air?

Re:Think I was hit (2)

Ol Olsoc (1175323) | more than 2 years ago | (#39949287)

Damn now I need to find a password other than 12345,

You could try Password1

Re:Think I was hit (1)

philip.paradis (2580427) | more than 2 years ago | (#39949571)

I prefer to use hunter2 for all my critical accounts.

Re:Think I was hit (3, Funny)

Cinder6 (894572) | more than 2 years ago | (#39950759)

Thanks for the suggestion, but that just showed up as a bunch of asterisks for me. (Maybe that would be a good password?)

And nothing of value was lost ... (0)

Anonymous Coward | more than 2 years ago | (#39949155)

Really the only ones who'd be harmed by this are celebrities (including politicians) who crave followers. And presumably these have staff that will fix the problem for them. I have a bazillion Twitter accounts that I register and discard simply to comment on some idiot's Tweet.

PS. Isn't relative anonymity the main attraction of Twitter versus the privacy murdering social networks like F*c*book and Gee+?

It's really surprising (0)

Anonymous Coward | more than 2 years ago | (#39949197)

How much time people manage to waste writing and reading messages of 140 characters or less.

Re:It's really surprising (1)

Anonymous Coward | more than 2 years ago | (#39949527)

TLDR

Why the hell would twitter even KNOW my password? (3, Interesting)

CFD339 (795926) | more than 2 years ago | (#39949201)

Well managed sites do not store your password. They store an encryption HASH of your password. When you type in your password, they use the same routine to HASH what you type in and compare the hashes. You cannot go backward from a hash to a password (well, not a modern hash, and not with a password that isn't a simple common word). There is no excuse for a web site to actually have a stored copy of your actual password anywhere in their systems.

Re:Why the hell would twitter even KNOW my passwor (4, Insightful)

EvanED (569694) | more than 2 years ago | (#39949243)

Good thing these passwords weren't obtained by attacking Twitter's servers directly then.

Re:Why the hell would twitter even KNOW my passwor (1)

Monkier (607445) | more than 2 years ago | (#39950975)

I wish i had some mod points for you

Re:Why the hell would twitter even KNOW my passwor (-1)

Anonymous Coward | more than 2 years ago | (#39949825)

You, sir, are a dumbass.

Nice try though, you almost looked smart. Better luck next time.

Re:Why the hell would twitter even KNOW my passwor (3, Interesting)

danlip (737336) | more than 2 years ago | (#39950437)

Salted and hashed. Without salt you can use rainbow tables to reverse the hash. But you're right, they shouldn't be storing it anywhere or using reversible encryption.

Re:Why the hell would twitter even KNOW my passwor (2)

jaymemaurice (2024752) | more than 2 years ago | (#39951081)

If only the world was so simple. Passwords sometimes need to be stored un-hashed. For example, your ISP may have your password unhashed or stored in a reversable encryption to facilitate secureish un-encrypted authentication such as CHAP.

And even if said well managed site stores salted hashes, it is often trivial for someone with access to a compromised server to log the username/password pairs before the salted hash is compared... and sure the client can send a salted hash which is salted based off a challenge - and then hashed and compared against a different hash but thats a little redonkeylous and even then an attacker who has access to the code could still make the clients send only hashes which are based off of a salt that they have rainbow tables for - or just fix it.

The golden rule of life is simple:
Don't believe any information/procedure you create/disclose/share will be used for the purpose you originally created/disclosed/shared it... and when that sinks in you will either be parinoid or indifferent.

Re:Why the hell would twitter even KNOW my passwor (1)

CFD339 (795926) | more than 2 years ago | (#40082595)

It's good advice (your golden rule). There are only two levels of paranoia, to a computer security person. Absolute, and insufficient.

And... (0)

DoofusOfDeath (636671) | more than 2 years ago | (#39949267)

Not to be a curmudgeon, but does twitter really contribute anything to the world?

Re:And... (2)

Ol Olsoc (1175323) | more than 2 years ago | (#39949293)

Not to be a curmudgeon, but does twitter really contribute anything to the world?

Where else ya gonna go to get your password hacked?

Re:And... (0)

Anonymous Coward | more than 2 years ago | (#39951087)

It's a communications forum. You might as well ask the same of telephones, slashdot, IRC, or hell, the whole internet.

Re:And... (1)

History's Coming To (1059484) | more than 2 years ago | (#39951735)

Absolutely. Sure, if you want to follow a random selection of users then you're just going to get lots of updates on what people are having for lunch, but the trick is to follow people you find interesting. I mostly follow people involved in physics, maths, science writing and a few other topics I'm interested in. It's essentially a news feed if you get it right, I first heard about CERN's "super-luminal neutrinos" through Twitter.

Yes, there's a lot of noise (just try reading the "raw" feed if you want to feel depressed about humanity), but the whole point of the thing is to find your own signal, and Twitter makes it very easy to get a good signal/noise ratio.

If you want something "useful to the species", people have set up programs which scan Twitter for "earthquake" and a place name or geolocation tag and can then give early warning before the waves hit (internet traffic is faster than seismic waves).

Re:And... (1)

a90Tj2P7 (1533853) | more than 2 years ago | (#39953073)

It's a great way to catch breaking news if you don't sit in front of a TV all day. Yesterday would be a prime example, glancing down at my phone on an afternoon smoke break to find out the president had announced his support of same-sex marriage. It was a good hour or so before that had made its way through the major news sources. You can find accounts for everything from local news, to your state-level organizations and agencies, to specific committees in congress or the house.

Hacked? (0)

Anonymous Coward | more than 2 years ago | (#39949377)

Speaking of hacked, I haven't got around to logging in or moderating when I get the chance. Been too busy being bio-hacked/mind controlled. Anyone had their selves or someone else hacked? E.G made to say things, have passwords extracted from their minds? I don't feel like anything is safe anymore with such shenanigans going on.

Re:Hacked? (0)

Anonymous Coward | more than 2 years ago | (#39949453)

That could fall under a Psy-Ops project/situation. Some people still think its schizophrenia, heh.

Re:Hacked? (1)

lightknight (213164) | more than 2 years ago | (#39950145)

Those are the people without tin-foil hats. ;-)

But honestly, if you think someone is watching you, someone probably is.

Caring about it (3, Funny)

fizzer06 (1500649) | more than 2 years ago | (#39949429)

Try as hard as I can, still don't care about twits and their tweets.

Re:Caring about it (1)

PeanutButterBreath (1224570) | more than 2 years ago | (#39956527)

Do or do not, there is no "try". And when it comes to caring about Twitter, there is no "do" either.

And nothing of value was lost (3, Interesting)

the eric conspiracy (20178) | more than 2 years ago | (#39949985)

Seems to me it's more likely that somebody now owns the Twitter password server and is now trying to get everyone to change their password so he'll have all the twitter user passwords.

Hello, FBI, is that you??

The DA gets what he wants (1)

lightknight (213164) | more than 2 years ago | (#39950135)

"Fight us over our subpoenas? Fine, you have 'Chinese' hackers eating you now."

Bad Company (FBI) Op (0)

Anonymous Coward | more than 2 years ago | (#39950183)

Twitter has been blocking efforts by NY to reveal the twitter feeds of a blogger associated with 'Occupy".

I suspect that NY 'read New York Police' pulled some strings and got FBI to hack Twitter accounts.

The FBI, like other non-elected elements of the US government have no regard for local laws, state
laws, Federal laws, Constitutional laws and not even, heaven forbid, international laws such as the
taudry thing like the 'rights of prisoners of war' and such.

Be that as it may.

Never the less, FBI personnel, like the White House Staff, are touchable and their 'place' can be
found and monitored minute-by-minute with great ease, for those who know.

Therefore, some 'touching' of these 'personnel' need be done and soon and with great 'effect'.

Happy driving home boys and girls; 'snicker snicker'. Oh! careful that door nob!

LoL

Keylogged, not hacked. (1)

wo1verin3 (473094) | more than 2 years ago | (#39950367)

Or at least not directly hacked from Twitter.

If you look at the logins [airdemon.net] there is a mix of usernames and email addresses. Since Twitter lets you login using either your twitter handle or email address, it looks as if these were somehow keylogged or otherwise hijacked, as opposed to Twitter being hacked.

Re:Keylogged, not hacked. (1)

WuphonsReach (684551) | more than 2 years ago | (#39954559)

34064 unique pairs of usernames/passwords.

About 1/2 (15834) are @hotmail

(Yahoo and GMail each had about 2000-2200 occurences.)

So possibly phished or keylogged.

Or hotmail is a lot more popular then we realize.

In Other News (0)

Anonymous Coward | more than 2 years ago | (#39950629)

The Commandars of the submarines of the Stratigic Nuclear Submarine Fleet still retain the perogative to launch on warning.

The target or targets, up to them.

Assumptiond regarding the location of target or targets should not be presumed.

The target and targets can be withing United States of America borders!

The prime target can be a location within the White House.

USA Air Force Dept. installations and assests can be targeted as well, as be needed.

Although, evaporating one human being within the White House, when evaporating upwards
of 1 to 2 million USA citizens in the northern Virginia, Washington DC, Maryland area may
seem, excessive, given circumstances, may be necessary.

LoL

OH (-1)

Anonymous Coward | more than 2 years ago | (#39950645)

I'll get on that right away! As soon as I remember my old password. And my Twitter username. And ... wait, I don't have a Twitter username. Never mind. Carry on, all of you twits.

You can check whether your account is one of them (0)

Anonymous Coward | more than 2 years ago | (#39951383)

After reading about the leak yesterday I quickly put together a little search tool that lets you search for your username to check whether your account is compromised. I know, probably most accounts should belong to spammers but just to be sure, you can check here: http://twitterleak.martinwittmann.at/
Hope that helps some of you, Martin

proposal (1)

Hognoxious (631665) | more than 2 years ago | (#39951731)

Wouldn't it be simpler to just post a story on the days when skateboardface & his lackeys don't fuck something up?

You see, lots of pirates are anarchists... (0)

Anonymous Coward | more than 2 years ago | (#39956497)

I'm not saying that in this particular case the goal was some kind of chaos or bragging : for all we know maybe they hacked *ALL* the Twitter accounts/passwords and are asking for a ransom but...

This whole "I cracked a shitload of accounts/passwords and I'm pasting them to pastebin" happens quite often.

So let me ask to all the knee-jerkers here that constantly, everytime the security issue comes up, say that dark side hackers/pirates are only doing it "for the munnies" / "for the russian mob" / or other bullsh*t, what do you think is the probability that some pirates do only pirate for the lulz?

Just to brag, just to prove they're good. Just because they *can* do it?

I think that the probability that some of the pirates out there are *not* motivated by money is 100%.

So now I'd like all these knee-jerkes to sh*t the f*ck up everytime a security issue comes up. No, all pirates out there are not slaves working for some mafia. Some will pirate you even if there's *zero* money to be made.

Not Hacked and Leaked (0)

Anonymous Coward | more than 2 years ago | (#39958133)

Phished. Big difference.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?