back to article Twitter breach leaks emails, passwords of 250,000 users

If you find that your Twitter password doesn't work the next time you try to login, you won't be alone. The service was busy resetting passwords and revoking cookies on Friday, following an online attack that may have leaked the account data of approximately 250,000 users. "This week, we detected unusual access patterns that …

COMMENTS

This topic is closed for new posts.
  1. NukEvil
    Trollface

    Hey, remember this?

    http://forums.theregister.co.uk/forum/1/2013/01/31/twitter_broken/#c_1713513

    I bet they feel like twats now.

    1. TheVogon

      Re: Hey, remember this?

      More insecure Open Source based crap with zero security....

  2. PaulR79
    Facepalm

    1 of the 250k

    Maybe I should play the lottery this weekend. I had this article open in one tab and went to Twitter to paste a link to the Super.... "El Plato Supremé" video and now it's telling me to reset my password. I'd just gotten used to that password as well! Sonnuva.....

  3. Anonymous Coward
    Paris Hilton

    Maybe it's just me - but why is this important?

    What "critical" information could possibly be in someone's Twitter account? And if people are keeping critical information in Twitter or Facebook or whatnot, doesn't that really just speak volumes about their complete lack of common sense regarding security?

    Isn't everything in a Twitter account out there for public view already anyway? What am I missing - I don't get why it matters if a Twitter account password is hacked. I guess someone could use the hacked account to do Twitter-spam with?? I'm totally confused on this one.

    1. Anonymous Coward
      Anonymous Coward

      Re: Maybe it's just me - but why is this important?

      Maybe the point is to gather passwords for future use - if a similar hack gathers account info for another more important service and the miscreants can link any of the accounts (eg by name) to the same user then maybe the password will do for the second one?

      Otherwise, I agree there doesn't seem to be any real point to it.

      1. Ole Juul

        Re: Maybe it's just me - but why is this important?

        Sending out 250K tweets with the same message could be effective.

        1. Tom 260

          Re: Maybe it's just me - but why is this important?

          "Sending out 250K tweets with the same message could be effective."

          Doubly so if there's a link to an attack or phishing site in those tweets. Twitter's insistence on re-short-linking URLs that are already short links puts paid to my Firefox addon that displays the original URL, are there any capable of displaying the end result of 'nested' short links?

    2. M.D.
      Headmaster

      Re: Maybe it's just me - but why is this important?

      So, your a Twitter user and you receive a link from someone who Follows You/You Follow. You are far more likely to click through to that link than if it (a) was an 'unknown' Tweeter or (b) email spam.

      Next one - so, your a dissident in Some Country (let's not name names) and your receive a a DM from a colleague you trust...maybe asking y for contact info on other dissidents.

      Etc.

      Remember, Twitter claim to have reduced the number of compromised account ts through prompt action - the more they had the greater the threat

      To thoughtlessly disparage the potential for serious impact implies to me you haven't thought this one through - have another go at this one (I know it's Saturday morning and all)

    3. Matt Bryant Silver badge
      Joke

      Re: Maybe it's just me - but why is this important?

      ".....What am I missing...." Obviously, It's someone looking for some suckers too offload their Faecesbook shares too!

    4. Anonymous Coward
      Anonymous Coward

      Re: Maybe it's just me - but why is this important?

      Email address and password combo is the critical information. It'as a good bet that users will use the same passwords on other sites.

  4. Gordon Stewart
    FAIL

    ..."the encrypted and salted versions of passwords"

    Let me fix that for you:

    "...the hashed and salted versions of passwords"

    1. koolholio

      It'll most likely be being cracked online somewhere then... knowing most of the 'account hijacker' types of script kiddie! The problem is, theres so many sites they could use to find out passwords in about 30 minutes, depending upon the algorithm used.

  5. Smudge@mcr

    the java angle....

    The java vulnerability is key here.

    It works by running a malitious script when a link is pressed in a compromised site.

    Here's how it could work:

    you see a tweet from somone you follow and trust "hey look at this"

    you click on the link, go to the compromised site "press to enter site dialog box" which you click on.

    the javascript runs in the background and your system is compromised.

    A great way to build a botnet...

    1. Irongut
      Stop

      Re: the java angle....

      For the 6 billionth time JAVASCRIPT IS NOT JAVA!

      1. koolholio
        FAIL

        Re: the java angle....

        But some javascript methods can trigger a native java context within particular browsers / configurations.

        Or havent you discovered that with the latest revision of it?

      2. Smudge@mcr

        Re: the java angle....

        Yes you are correct. The post should say "The Javascript angle"

        I should know better.

        The point is that a compromised account could be used to trick other users into executing malicious code. Particularly non technical users.

        1. koolholio
          Facepalm

          Re: the java angle....

          Whilst this is true and probably happens alot....

          Its assuming thats the method they used? and not some SQL injection? (which appears all too common with some major sites recently)

    2. Matt Bryant Silver badge
      Thumb Up

      Re: the java angle....

      The really amusing bit is corporations obviously think that Java has such a bad security rep that they can hide their own incompetence by declaring "it's all just a Java issue, nothing to see here, move along!"

  6. Anonymous Coward
    Anonymous Coward

    Which government?!

    My account was hacked. I'm not a political person, however in the past I have used Twitter to criticize the IDF. Just sayin'....

    1. Matt Bryant Silver badge
      FAIL

      Re: Which government?!

      ".... I'm not a political person, however in the past I have used Twitter to criticize the IDF..." Don't worry, most people that criticise the IDF also aren't political, they're just anti-Semitic. And it was Twatter, so no chance that anyone of import would have been paying attention anyway.

      1. Anonymous Coward
        Anonymous Coward

        Re: Which government?!

        Rubbish. Most people that criticise the IDF don't like the US funding a terrorist state and their money being used to kill and commit genocide on Palestinans - you know well documented policies such as- white phosphorhous being used widely on civilians, shelling families on beaches, leaving booby trap bombs where children are known to play, deliberately shooting children, that sort of thing...

        False claims that objecting to such barbaric behaviour is in some way antisimitic is in fact a common defensive tactic of those that support these atrocities

        1. Matt Bryant Silver badge
          Facepalm

          Re: Which government?!

          ".....Most people that criticise the IDF don't like the US funding a terrorist state....." OK, so shall we look at your "reasoning"? Did you protest maybe because you think Israel "steals" land? In which case, did you give equal Twatter time to protesting China's occupation of Tibet? Or did you complain about the IDF killing Fakeistinian "freedom fighters"? Then I expect you also dissed Syria, Lebanon and Jordan? Oh, you did know all three have spent plenty of time hunting down and killing PLO and other groups that have tried to usurp their control? What a surpsie - you didn't.

          Of course, if you didn't give equal airtime to criticising anyone other than Israel, then I'd have to draw the conclusion that you are just a know-nothing member of the sheeple, being herded by the trendy protest-du-jour, or just an anti-Semite pretending to yourself you are not racist.

    2. koolholio
      Angel

      Re: Which government?!

      Well given LinkedIn accounts have also been attacked by seemingly chinese actors...

      http://www.theprohack.com/2013/01/linkedin-malware-profiles-hit-with.html

      1. koolholio

        Re: Which government?!

        In more detail:

        http://www.zdnet.com/targeted-attack-against-uae-activist-utilizes-cve-2013-0422-drops-malware-7000010645/

    3. Naadir Jeewa

      Re: Which government?!

      Argh. I was one of those accounts. I've taken Twiter potshots at Israel, Palestine, China and the US. I am, if nothing, an equal opportunities critic. I'm pretty certain the IDF has no interest in me at all, thanks.

      I've pretty much disabled Java on my end, and was only using Twitter API clients when the password was reset.

      I'm pretty certain that the hack, if it involved Java, must have happened on Twitter's end, which meant a few NoSQL shards were captured. How else would they get the salt and hashed passwords?

  7. Anonymous Coward
    Anonymous Coward

    OMG! Twitter breached, I posted my life on it, I'm ruined #gulliblesademptytwat

    Sigh.

    1. Naadir Jeewa
      Facepalm

      Re: OMG! Twitter breached, I posted my life on it, I'm ruined #gulliblesademptytwat

      Well, it's worse than that. How many people do you reckon use their Twitter password for everything else?

      1. The Alpha Klutz

        Re: OMG! Twitter breached, I posted my life on it, I'm ruined #gulliblesademptytwat

        100% of the people who deserve to be hacked.

        1. Matt Bryant Silver badge
          Thumb Up

          Re: OMG! Twitter breached, I posted my life on it, I'm ruined #gulliblesademptytwat

          "100% of the people who deserve to be hacked." TBH, 99% of Twatter seems to be marketing drones and the like, so hardly the greatest loss to the Internet community.

    2. Tom 13

      Re: OMG! Twitter breached, I posted my life on it, I'm ruined #gulliblesademptytwat

      At 140 characters per tweet, there is no way anybody could post their life of twitter, no matter how hard they try.

  8. Anonymous Coward
    Anonymous Coward

    "because simpler passwords are easier to guess using brute-force methods"

    Not if they're using salt. That's the entire purpose of salt.

  9. Anonymous Coward
    Anonymous Coward

    Get real

    If you are on Twitter, then what would you expect for security? Time to get real.

    1. Tom 13

      Re: Get real

      I got Real once. But now I'm back to using my default media player.

  10. William Donelson
    FAIL

    Was there a country bias in the thefts? .. Say, Iran or China?

    Was there a country bias in the thefts? .. Say, Iran or China?

    This could lead to actual imprisonment and deaths...

  11. Ed_UK
    Headmaster

    Bad Reg, Bad!

    If you're a techie outfit, you need to be able to spell and use techie words properly.

    "next time you try to login" < should be "LOG IN" not "LOGIN"

    "the next time you login" < should be "LOG IN" not "LOGIN"

    You can _have_ a login, because it's a noun. "Log in" is the verb.

    You wouldn't say "I loginned" (would you?). Or "I am logining."

    1. Your Majesty

      Re: Bad Reg, Bad!

      Well, you can always have a noun on a button.

This topic is closed for new posts.

Other stories you might like