Attacks/Breaches
5/9/2012
11:21 AM
50%
50%

Twitter Downplays Breach That Exposed Passwords

Nearly 60,000 Twitter usernames and passwords released via Pastebin, but social networking service says half are for blocked spam accounts or duplicates.

Tens of thousands of Twitter users' email addresses and passwords have been dumped online.

The leaked information, comprising 58,978 username and password combinations, appeared Monday on Pastebin. While Twitter said that it's investigating the breach, it’s also downplayed the supposed size and severity of the data dump.

"We are currently looking into the situation," said spokeswoman Rachel Bremer via email. "It's worth noting that, so far, we've discovered that the list of alleged accounts and passwords found on Pastebin consists of more than 20,000 duplicates, many spam accounts that have already been suspended, and many login credentials that do not appear to be linked (that is, the password and username are not actually associated with each other)."

Most hackers dumping data on Pastebin only divulge a subset of their data, then link to a torrent file for anyone who wants to download the entire data set. But in this case, whoever posted the data simply pasted the information across five different Pastebin posts. (Links: one, two, three, four, and five.) That was necessary since Pastebin imposes a 512 Kb limit on each post.

[ Are you ignoring common social media privacy controls and sharing risks? See Facebook Privacy: 5 Most Ignored Mistakes. ]

While Twitter is continuing its investigation, the company said it's already contacted affected users. "We have pushed out password resets to accounts that may have been affected," said Bremer. "For those who are concerned that their account may have been compromised, we suggest resetting your passwords and more in our Help Center."

Still, few Twitter users would have been affected by the breach. Based on Twitter's estimate of the number of invalid accounts contained in the data dump, and with the social network claiming to now have over 140 million active users, the breach would have affected about 0.02% of its user base.

Who leaked the Twitter account credentials, and why? Thanks to the Pastebin poster remaining anonymous, and no group stepping forward to take credit, that's not clear. But it's quite possible that the leaked credentials were gathered via phishing attacks, which would have tricked users into divulging their details. If so, that would exonerate Twitter and its information security practices.

That question is relevant because last year, as part of its settlement with the Federal Trade Commission settlement, Twitter agreed to improve its information security practices, undergo regular information security audits for 10 years, and avoid making any misleading statements about the effectiveness of its security or privacy practices for the next 20 years.

The settlement stems from an FTC charge that the social network "deceived consumers and put their privacy at risk by failing to safeguard their personal information," after hackers in 2009 twice gained full administrative control of the Twitter site.

As part of the settlement, which was first fielded by the FTC in 2010, Twitter agreed to designate employees to coordinate--as well as be accountable for--its information security and privacy programs. Twitter also agreed to put in place "reasonable safeguards" to mitigate any information security risks it identified, and to store data securely. But by the time the settlement was announced last year, Twitter said it had added almost all of the required security improvements.

Put an end to insider theft and accidental data disclosure with network and host controls--and don't forget to keep employees on their toes. Also in the new, all-digital Stop Data Leaks issue of Dark Reading: Why security must be everyone's concern, and lessons learned from the Global Payments breach. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
timothytim
50%
50%
timothytim,
User Rank: Apprentice
5/25/2012 | 10:11:17 PM
re: Twitter Downplays Breach That Exposed Passwords
My Twitter account was compromised and subsequently suspended. The hacker sent out offensive tweets. I was able to get my account restored, but only after agreeing to not send any more offensive tweets. They won't respond to any request asking to clear the record from my account. In my case, I am 100% certain it was not by phishing. Reason: The email account that was on file at twitter was inactive and I had not updated my twitter account. I did not receive any other twitter related messages at other email accounts. If I am one, you know there are lots (ten's of thousands) of others who also were not phished. And what is the blah blah "Twitter was not compromised" about? If Twitter's customers were compromised then Twitter was compromised. Twitter doesn't exist without its customers. Pay no attention to the man behind the curtain.
Deb Donston-Miller
50%
50%
Deb Donston-Miller,
User Rank: Apprentice
5/9/2012 | 10:41:06 PM
re: Twitter Downplays Breach That Exposed Passwords
Just last week I started seeing a phishing scam in my email inbox, with a Twitter "follower" sending me a direct message saying that someone was "spreading bad rumors" about me. Now, the person whose account was clearly hacked is someone I work with, and I knew that he would never send me a message like that (especially one worded like that). So I knew it wasn't a legitimate message. But I know some teenagers who got the same message, and their Twitter followers might have used language like that. Luckily, my young friends were smart enough not to click on the link. But it's interesting to think about how a phish that doesn't work for one person might work for another or in another context.

Deb Donston-Miller
Contributing Editor, The BrainYard
JBUDDEMEYER000
50%
50%
JBUDDEMEYER000,
User Rank: Apprentice
5/9/2012 | 6:28:14 PM
re: Twitter Downplays Breach That Exposed Passwords
would twitter actually admit the accounts had been accessed? the breach of privacy and security would be tantamount to chaos.
http://littlebiggy.org/4631847
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6501
Published: 2015-03-30
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_s...

CVE-2014-9652
Published: 2015-03-30
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote atta...

CVE-2014-9653
Published: 2015-03-30
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory ...

CVE-2014-9705
Published: 2015-03-30
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

CVE-2014-9709
Published: 2015-03-30
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.