Hey, remember this?
I bet they feel like twats now.
If you find that your Twitter password doesn't work the next time you try to login, you won't be alone. The service was busy resetting passwords and revoking cookies on Friday, following an online attack that may have leaked the account data of approximately 250,000 users. "This week, we detected unusual access patterns that …
I bet they feel like twats now.
More insecure Open Source based crap with zero security....
Maybe I should play the lottery this weekend. I had this article open in one tab and went to Twitter to paste a link to the Super.... "El Plato Supremé" video and now it's telling me to reset my password. I'd just gotten used to that password as well! Sonnuva.....
What "critical" information could possibly be in someone's Twitter account? And if people are keeping critical information in Twitter or Facebook or whatnot, doesn't that really just speak volumes about their complete lack of common sense regarding security?
Isn't everything in a Twitter account out there for public view already anyway? What am I missing - I don't get why it matters if a Twitter account password is hacked. I guess someone could use the hacked account to do Twitter-spam with?? I'm totally confused on this one.
Maybe the point is to gather passwords for future use - if a similar hack gathers account info for another more important service and the miscreants can link any of the accounts (eg by name) to the same user then maybe the password will do for the second one?
Otherwise, I agree there doesn't seem to be any real point to it.
Sending out 250K tweets with the same message could be effective.
"Sending out 250K tweets with the same message could be effective."
Doubly so if there's a link to an attack or phishing site in those tweets. Twitter's insistence on re-short-linking URLs that are already short links puts paid to my Firefox addon that displays the original URL, are there any capable of displaying the end result of 'nested' short links?
So, your a Twitter user and you receive a link from someone who Follows You/You Follow. You are far more likely to click through to that link than if it (a) was an 'unknown' Tweeter or (b) email spam.
Next one - so, your a dissident in Some Country (let's not name names) and your receive a a DM from a colleague you trust...maybe asking y for contact info on other dissidents.
Remember, Twitter claim to have reduced the number of compromised account ts through prompt action - the more they had the greater the threat
To thoughtlessly disparage the potential for serious impact implies to me you haven't thought this one through - have another go at this one (I know it's Saturday morning and all)
".....What am I missing...." Obviously, It's someone looking for some suckers too offload their Faecesbook shares too!
Email address and password combo is the critical information. It'as a good bet that users will use the same passwords on other sites.
..."the encrypted and salted versions of passwords"
Let me fix that for you:
"...the hashed and salted versions of passwords"
It'll most likely be being cracked online somewhere then... knowing most of the 'account hijacker' types of script kiddie! The problem is, theres so many sites they could use to find out passwords in about 30 minutes, depending upon the algorithm used.
The java vulnerability is key here.
It works by running a malitious script when a link is pressed in a compromised site.
Here's how it could work:
you see a tweet from somone you follow and trust "hey look at this"
you click on the link, go to the compromised site "press to enter site dialog box" which you click on.
A great way to build a botnet...
Or havent you discovered that with the latest revision of it?
The really amusing bit is corporations obviously think that Java has such a bad security rep that they can hide their own incompetence by declaring "it's all just a Java issue, nothing to see here, move along!"
I should know better.
The point is that a compromised account could be used to trick other users into executing malicious code. Particularly non technical users.
Whilst this is true and probably happens alot....
Its assuming thats the method they used? and not some SQL injection? (which appears all too common with some major sites recently)
My account was hacked. I'm not a political person, however in the past I have used Twitter to criticize the IDF. Just sayin'....
".... I'm not a political person, however in the past I have used Twitter to criticize the IDF..." Don't worry, most people that criticise the IDF also aren't political, they're just anti-Semitic. And it was Twatter, so no chance that anyone of import would have been paying attention anyway.
Well given LinkedIn accounts have also been attacked by seemingly chinese actors...
In more detail:
Argh. I was one of those accounts. I've taken Twiter potshots at Israel, Palestine, China and the US. I am, if nothing, an equal opportunities critic. I'm pretty certain the IDF has no interest in me at all, thanks.
I've pretty much disabled Java on my end, and was only using Twitter API clients when the password was reset.
I'm pretty certain that the hack, if it involved Java, must have happened on Twitter's end, which meant a few NoSQL shards were captured. How else would they get the salt and hashed passwords?
Rubbish. Most people that criticise the IDF don't like the US funding a terrorist state and their money being used to kill and commit genocide on Palestinans - you know well documented policies such as- white phosphorhous being used widely on civilians, shelling families on beaches, leaving booby trap bombs where children are known to play, deliberately shooting children, that sort of thing...
False claims that objecting to such barbaric behaviour is in some way antisimitic is in fact a common defensive tactic of those that support these atrocities
".....Most people that criticise the IDF don't like the US funding a terrorist state....." OK, so shall we look at your "reasoning"? Did you protest maybe because you think Israel "steals" land? In which case, did you give equal Twatter time to protesting China's occupation of Tibet? Or did you complain about the IDF killing Fakeistinian "freedom fighters"? Then I expect you also dissed Syria, Lebanon and Jordan? Oh, you did know all three have spent plenty of time hunting down and killing PLO and other groups that have tried to usurp their control? What a surpsie - you didn't.
Of course, if you didn't give equal airtime to criticising anyone other than Israel, then I'd have to draw the conclusion that you are just a know-nothing member of the sheeple, being herded by the trendy protest-du-jour, or just an anti-Semite pretending to yourself you are not racist.
Well, it's worse than that. How many people do you reckon use their Twitter password for everything else?
100% of the people who deserve to be hacked.
"100% of the people who deserve to be hacked." TBH, 99% of Twatter seems to be marketing drones and the like, so hardly the greatest loss to the Internet community.
At 140 characters per tweet, there is no way anybody could post their life of twitter, no matter how hard they try.
"because simpler passwords are easier to guess using brute-force methods"
Not if they're using salt. That's the entire purpose of salt.
If you are on Twitter, then what would you expect for security? Time to get real.
I got Real once. But now I'm back to using my default media player.
Was there a country bias in the thefts? .. Say, Iran or China?
This could lead to actual imprisonment and deaths...
If you're a techie outfit, you need to be able to spell and use techie words properly.
"next time you try to login" < should be "LOG IN" not "LOGIN"
"the next time you login" < should be "LOG IN" not "LOGIN"
You can _have_ a login, because it's a noun. "Log in" is the verb.
You wouldn't say "I loginned" (would you?). Or "I am logining."
Well, you can always have a noun on a button.
fscked by SHA-1 collision? Not so fast, says Linus Torvalds