Feeds

back to article Twitter breach leaks emails, passwords of 250,000 users

If you find that your Twitter password doesn't work the next time you try to login, you won't be alone. The service was busy resetting passwords and revoking cookies on Friday, following an online attack that may have leaked the account data of approximately 250,000 users. "This week, we detected unusual access patterns that led …

COMMENTS

This topic is closed for new posts.
Trollface

Hey, remember this?

http://forums.theregister.co.uk/forum/1/2013/01/31/twitter_broken/#c_1713513

I bet they feel like twats now.

2
2
Bronze badge

Re: Hey, remember this?

More insecure Open Source based crap with zero security....

0
4
Bronze badge
Facepalm

1 of the 250k

Maybe I should play the lottery this weekend. I had this article open in one tab and went to Twitter to paste a link to the Super.... "El Plato Supremé" video and now it's telling me to reset my password. I'd just gotten used to that password as well! Sonnuva.....

0
0
Silver badge
Paris Hilton

Maybe it's just me - but why is this important?

What "critical" information could possibly be in someone's Twitter account? And if people are keeping critical information in Twitter or Facebook or whatnot, doesn't that really just speak volumes about their complete lack of common sense regarding security?

Isn't everything in a Twitter account out there for public view already anyway? What am I missing - I don't get why it matters if a Twitter account password is hacked. I guess someone could use the hacked account to do Twitter-spam with?? I'm totally confused on this one.

8
1
Silver badge

Re: Maybe it's just me - but why is this important?

Maybe the point is to gather passwords for future use - if a similar hack gathers account info for another more important service and the miscreants can link any of the accounts (eg by name) to the same user then maybe the password will do for the second one?

Otherwise, I agree there doesn't seem to be any real point to it.

3
0
Silver badge

Re: Maybe it's just me - but why is this important?

Sending out 250K tweets with the same message could be effective.

1
0

Re: Maybe it's just me - but why is this important?

"Sending out 250K tweets with the same message could be effective."

Doubly so if there's a link to an attack or phishing site in those tweets. Twitter's insistence on re-short-linking URLs that are already short links puts paid to my Firefox addon that displays the original URL, are there any capable of displaying the end result of 'nested' short links?

1
0
Headmaster

Re: Maybe it's just me - but why is this important?

So, your a Twitter user and you receive a link from someone who Follows You/You Follow. You are far more likely to click through to that link than if it (a) was an 'unknown' Tweeter or (b) email spam.

Next one - so, your a dissident in Some Country (let's not name names) and your receive a a DM from a colleague you trust...maybe asking y for contact info on other dissidents.

Etc.

Remember, Twitter claim to have reduced the number of compromised account ts through prompt action - the more they had the greater the threat

To thoughtlessly disparage the potential for serious impact implies to me you haven't thought this one through - have another go at this one (I know it's Saturday morning and all)

2
2
Silver badge
Joke

Re: Maybe it's just me - but why is this important?

".....What am I missing...." Obviously, It's someone looking for some suckers too offload their Faecesbook shares too!

0
2

Re: Maybe it's just me - but why is this important?

Email address and password combo is the critical information. It'as a good bet that users will use the same passwords on other sites.

1
0
FAIL

..."the encrypted and salted versions of passwords"

Let me fix that for you:

"...the hashed and salted versions of passwords"

0
1

It'll most likely be being cracked online somewhere then... knowing most of the 'account hijacker' types of script kiddie! The problem is, theres so many sites they could use to find out passwords in about 30 minutes, depending upon the algorithm used.

0
0

the java angle....

The java vulnerability is key here.

It works by running a malitious script when a link is pressed in a compromised site.

Here's how it could work:

you see a tweet from somone you follow and trust "hey look at this"

you click on the link, go to the compromised site "press to enter site dialog box" which you click on.

the javascript runs in the background and your system is compromised.

A great way to build a botnet...

0
3
Silver badge
Stop

Re: the java angle....

For the 6 billionth time JAVASCRIPT IS NOT JAVA!

8
1
FAIL

Re: the java angle....

But some javascript methods can trigger a native java context within particular browsers / configurations.

Or havent you discovered that with the latest revision of it?

0
0
Silver badge
Thumb Up

Re: the java angle....

The really amusing bit is corporations obviously think that Java has such a bad security rep that they can hide their own incompetence by declaring "it's all just a Java issue, nothing to see here, move along!"

1
3

Re: the java angle....

Yes you are correct. The post should say "The Javascript angle"

I should know better.

The point is that a compromised account could be used to trick other users into executing malicious code. Particularly non technical users.

0
0
Facepalm

Re: the java angle....

Whilst this is true and probably happens alot....

Its assuming thats the method they used? and not some SQL injection? (which appears all too common with some major sites recently)

0
0
Anonymous Coward

Which government?!

My account was hacked. I'm not a political person, however in the past I have used Twitter to criticize the IDF. Just sayin'....

0
2
Silver badge
FAIL

Re: Which government?!

".... I'm not a political person, however in the past I have used Twitter to criticize the IDF..." Don't worry, most people that criticise the IDF also aren't political, they're just anti-Semitic. And it was Twatter, so no chance that anyone of import would have been paying attention anyway.

1
5
Angel

Re: Which government?!

Well given LinkedIn accounts have also been attacked by seemingly chinese actors...

http://www.theprohack.com/2013/01/linkedin-malware-profiles-hit-with.html

0
0

Re: Which government?!

In more detail:

http://www.zdnet.com/targeted-attack-against-uae-activist-utilizes-cve-2013-0422-drops-malware-7000010645/

0
0

Re: Which government?!

Argh. I was one of those accounts. I've taken Twiter potshots at Israel, Palestine, China and the US. I am, if nothing, an equal opportunities critic. I'm pretty certain the IDF has no interest in me at all, thanks.

I've pretty much disabled Java on my end, and was only using Twitter API clients when the password was reset.

I'm pretty certain that the hack, if it involved Java, must have happened on Twitter's end, which meant a few NoSQL shards were captured. How else would they get the salt and hashed passwords?

1
1
Anonymous Coward

Re: Which government?!

Rubbish. Most people that criticise the IDF don't like the US funding a terrorist state and their money being used to kill and commit genocide on Palestinans - you know well documented policies such as- white phosphorhous being used widely on civilians, shelling families on beaches, leaving booby trap bombs where children are known to play, deliberately shooting children, that sort of thing...

False claims that objecting to such barbaric behaviour is in some way antisimitic is in fact a common defensive tactic of those that support these atrocities

5
4
Silver badge
Facepalm

Re: Which government?!

".....Most people that criticise the IDF don't like the US funding a terrorist state....." OK, so shall we look at your "reasoning"? Did you protest maybe because you think Israel "steals" land? In which case, did you give equal Twatter time to protesting China's occupation of Tibet? Or did you complain about the IDF killing Fakeistinian "freedom fighters"? Then I expect you also dissed Syria, Lebanon and Jordan? Oh, you did know all three have spent plenty of time hunting down and killing PLO and other groups that have tried to usurp their control? What a surpsie - you didn't.

Of course, if you didn't give equal airtime to criticising anyone other than Israel, then I'd have to draw the conclusion that you are just a know-nothing member of the sheeple, being herded by the trendy protest-du-jour, or just an anti-Semite pretending to yourself you are not racist.

0
0
Anonymous Coward

OMG! Twitter breached, I posted my life on it, I'm ruined #gulliblesademptytwat

Sigh.

1
1
Facepalm

Re: OMG! Twitter breached, I posted my life on it, I'm ruined #gulliblesademptytwat

Well, it's worse than that. How many people do you reckon use their Twitter password for everything else?

1
0

Re: OMG! Twitter breached, I posted my life on it, I'm ruined #gulliblesademptytwat

100% of the people who deserve to be hacked.

1
1
Silver badge
Thumb Up

Re: OMG! Twitter breached, I posted my life on it, I'm ruined #gulliblesademptytwat

"100% of the people who deserve to be hacked." TBH, 99% of Twatter seems to be marketing drones and the like, so hardly the greatest loss to the Internet community.

0
1
Silver badge

Re: OMG! Twitter breached, I posted my life on it, I'm ruined #gulliblesademptytwat

At 140 characters per tweet, there is no way anybody could post their life of twitter, no matter how hard they try.

0
0
Anonymous Coward

"because simpler passwords are easier to guess using brute-force methods"

Not if they're using salt. That's the entire purpose of salt.

0
0
Anonymous Coward

Get real

If you are on Twitter, then what would you expect for security? Time to get real.

0
0
Silver badge

Re: Get real

I got Real once. But now I'm back to using my default media player.

1
0
FAIL

Was there a country bias in the thefts? .. Say, Iran or China?

Was there a country bias in the thefts? .. Say, Iran or China?

This could lead to actual imprisonment and deaths...

0
0
Headmaster

Bad Reg, Bad!

If you're a techie outfit, you need to be able to spell and use techie words properly.

"next time you try to login" < should be "LOG IN" not "LOGIN"

"the next time you login" < should be "LOG IN" not "LOGIN"

You can _have_ a login, because it's a noun. "Log in" is the verb.

You wouldn't say "I loginned" (would you?). Or "I am logining."

0
1

Re: Bad Reg, Bad!

Well, you can always have a noun on a button.

0
0
This topic is closed for new posts.