
55,000 Twitter passwords leaked - gravitronic
http://www.airdemon.net/hacker107.html
======
jaysonelliot
I just did a random sampling of these accounts, and what's interesting is that
every one of the twenty accounts I looked at had about 3-6 followers, and was
following thousands of people (or it was suspended).

All their bios sound like bot-generated text, they all have suspiciously
similar passwords that look auto-generated, and none of them seem to have much
to say.

On a hunch, I logged in to a few of those accounts and saw that they all had
messages asking them to confirm their email addresses, as they had not done so
yet.

This is probably not a "leak," but some spammer's list of fake accounts.

~~~
ChuckMcM
_"This is probably not a 'leak,' but some spammer's list of fake accounts."_

Ok, since I like to randomly speculate about various facts, consider the
following, what if this was a white hat operation? We have seen that folks who
uncover botnets are in a weird place because if they take them out they can be
accused of violating the CFA but if they leave them in place, the world stays
sucky. So what to do? A creative missive to not take them out?

A white hat can 'leak' all of the spam accounts, which engages Twitter's
customer relations team, which disables all the accounts because they might be
'compromised' and sends an email to the owner to change their password. Except
they are spam accounts and don't have real emails so the emails go into the
bit bucket and 55,000 spam accounts go dark. I realize that is a lot of
construction.

~~~
trotsky
Why wouldn't they just email twitter explaining how to identify the spammers
and including a list?

~~~
ConstantineXVI
Said email would become a confession and evidence if Twitter (or a third party
that had this list) were to charge the leaker under CFA (or the relevant law
in their country). Posting it anonymously has the same effect without exposing
the leaker to legal issues.

~~~
rhizome
Also: Joe Jobs.

~~~
waqf
Steve's extra-evil twin? Or did you mean "Joe jobs"?

~~~
rhizome
The latter.

------
danielamitay
_Every single account I checked has constantly retweeted the account_
@Swagstro[1]. They have 314k followers, but no "Verified Account" tag (which
extremely popular users tend to have). I don't mean to point the finger, but
it seems like these accounts were used to boost the popularity of said
account.

EDIT: They gained 70k followers in the past two days alone[2].

EDIT 2: Their tweets have all disappeared since posting this comment.

CONCLUSION: Automatically generated accounts, profiles, and tweets. These
accounts are used for services that provide paid followers and retweets. It's
actually pretty interesting stuff if you look at the automatically generated
"Twitter Ipsum" that is their profile descriptions and how they randomly pick
quotes from famous people to tweet.

[1] <https://twitter.com/#!/Swagstro>

[2] <http://twittercounter.com/Swagstro>

~~~
sbarre
If you look at who that account is following, there seems to be a whole
network of people using accounts with names close to (or impersonating)
celebrities who all re-tweet each other and promise "10 follow-backs for each
follow" and "if you follow <random> I'll follow you" etc.

Looks like either some kind of weird social hack/club or I don't know what..

This account has close to 1M followers, and appears to be in that same network
or loop of spammy follower-harvesting group..

<https://twitter.com/#!/CraveMyThoughts>

~~~
danielamitay
Actually, that account looks pretty legit (in the sense that it's not 100% bot
generated).

Look at Swagstro's follower list [1], and Cmd/Ctrl-F for "holic", "fanatic",
"introvert", "bacon", "wannabe". Almost all of the accounts are simply
randomly generating the Lorem Ipsum of Twitter descriptions.

[1] <https://twitter.com/#!/Swagstro/followers>

~~~
reledi
This makes me wonder if Twitter is ever going to crack down on these spam
accounts, or put in place some preventive measures. Right now it's really
encouraging for spammers to create these accounts and sell their services.
There's still lots of room for improvement in these bot accounts, currently
they're still too easy to detect.

------
brownbat
I disagree that the all or even most of the passwords are randomly chosen,
there's too little entropy for it to be a pseudo random system, and too much
for it to be a simple algorithm based on the username. I'd bet the percentage
of the accounts here that are spammers reflects the same percentage as the
overall site, and is probably shockingly high.

\---

... _natymattyoly_souza@hotmail.com:123456789321_ < probably guessed numbers
until the system said it wasn't "too obvious"

...

 _anderson_andimdim@hotmail.com:159753100_ < physical numpad pattern, "X" +
100

...

 _danielmarianosantana@hotmail.com:euamominhamae_ < "i love my mom" in
portuguese... Twitter blocks "iloveyou" as it's a really common password, but
this seems similar

joaovitor.bragaferreira@hotmail.com:africadosul

rafacavali82@hotmail.com:molestia

girlangts@hotmail.com:tei,xei,ra,

theublack10@hotmail.com:matheussofia

r_gto33@hotmail.com:picaxura

There are many others that may be autogenerated, but I think we can rule out
the idea that most or all of them are. The common patterns are probably just
because humans are bad at this "make up a secret that no one else makes up"
game.

~~~
aw3c2
no need to post the full details here, please redact the mail addresses.

------
m0shen
For the curious:

    
    
        curl http://pastebin.com/raw.php?i=Kc9ng18h > twitterpw.txt
        curl http://pastebin.com/raw.php?i=vCMndK2L >> twitterpw.txt
        curl http://pastebin.com/raw.php?i=JdQkuYwG >> twitterpw.txt
        curl http://pastebin.com/raw.php?i=fw43srjY >> twitterpw.txt
        curl http://pastebin.com/raw.php?i=jv4LBjPX >> twitterpw.txt

~~~
dredmorbius
Or (bash/zsh):

    
    
         curl "http://pastebin.com/raw.php?i={Kc9ng18h,vCMndK2L,JdQkuYwG,fw43srjY,jv4LBjPX}" > twitterpw.txt
    

Then: $ wc -l twitterpw.txt 58978 twitterpw.txt $ sort -u twitterpw.txt | wc
-l 37001

Lots of dupes in there.

~~~
ricardobeat

        curl "http://pastebin.com/raw.php?i={Kc9ng18h,vCMndK2L,JdQkuYwG,fw43srjY,jv4LBjPX}" | sort -u > twitterpw.txt

~~~
dredmorbius
Sure, but that doesn't tell you how many dupes were in the original list
(unless you were to separately keep a linecount). Hrm ... does pv let you do
that?

Hrm ... No, but process substitution does:

    
    
        curl "http://pastebin.com/raw.php?i={Kc9ng18h,vCMndK2L,JdQkuYwG,fw43srjY,jv4LBjPX}" | tee >(sort -u >twitterpw.txt) | wc -l
        [1/5]: http://pastebin.com/raw.php?i=Kc9ng18h --> <stdout>
          % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                         Dload  Upload   Total   Spent    Left  Speed
        100  261k    0  261k    0     0   788k      0 --:--:-- --:--:-- --:--:--  953k
        
        [2/5]: http://pastebin.com/raw.php?i=vCMndK2L --> <stdout>
        100  434k    0  434k    0     0  1630k      0 --:--:-- --:--:-- --:--:-- 1630k
        
        [3/5]: http://pastebin.com/raw.php?i=JdQkuYwG --> <stdout>
        100  349k    0  349k    0     0  1526k      0 --:--:-- --:--:-- --:--:-- 7441k
        
        [4/5]: http://pastebin.com/raw.php?i=fw43srjY --> <stdout>
        100  367k    0  367k    0     0   897k      0 --:--:-- --:--:-- --:--:--  897k
        
        [5/5]: http://pastebin.com/raw.php?i=jv4LBjPX --> <stdout>
        100  291k    0  291k    0     0  1638k      0 --:--:-- --:--:-- --:--:-- 1638k
        58978
    

And what did we actually output?

    
    
        $ wc -l twitterpw.txt 
        37001 twitterpw.txt

------
sparknlaunch12
I took a sample of 34k. I may have had some files that didn't download
fully[1]. I was only interested in picking out some trends.

66 - No password (ie null)

580 - had the password "315475"

492 - had password "123456"

187 - had password "123456789"

68 - had password "102030"

62 - had password "123"

52 - had password "12345"

44 - had password "1234"

29 - had password "101010"

35% were numeric/number only passwords. There were many that were a variation
of 123...

The rest appear to be a mixture but first names are popular. I haven't tried,
but would assume many of these would be the same passwords for the registered
email (username).

The day someone comes up with an alternative to passwords it will be a great
day!

Edit: [1] 34k unique accounts, I must have deleted duplicate
usernames/accounts.

~~~
jeffclark
What's the significance of "315475" as a password?

~~~
webmonkeyuk
I think it might relate to some "mass follower" script

See this forum thread: [http://psx-scene.com/forums/f195/twitter-1200-follwer-
hack-v...](http://psx-scene.com/forums/f195/twitter-1200-follwer-
hack-v2-recreated-scripts-103024/) which links to this pastebin page which
contains a bunch of users all with that password
<http://pastebin.com/0hcDigvU>

------
gravitronic
(posted this on HN after seeing it on an RSS feed)

Definitely looks like it was a large-scale spam operation that was hacked and
not twitter itself.

I just edited the title to try to reflect the lesser impact of the leak.

~~~
bo1024
Something I haven't seemed mentioned, but this makes a BIG difference for the
following reason (among others):

If this was twitter that got hacked, it implies that they're storing passwords
in plain text.

That news is or should be a Big Deal.

~~~
Dylan16807
Almost all the passwords are 8 character alphanumeric. It would mean they
aren't salting, but it's within the range of md5 rainbow tables.

------
swang
Doing a quick analysis.

58978 accounts listed, 34064 unique account/passwords

25069 accounts by email 8995 accounts by usernames

Most accounts by email:

hotmail.com @ 15598

yahoo.com.br @ 2375

gmail.com @ 2148

bol.com.br @ 1031

uol.com.br @ 695

A lot of misspellings for domain names.

------
viggity
is it just me, or do the vast majority of the passwords appear to be the
default randomly generated passwords? How many of these accounts are even
active?

~~~
reustle
I also see a lot of randomly generated accounts, but a lot of legitimate ones
as well. I think the big chunks of similar looking accounts were created by
spambots.

------
eridius
Any idea where these came from? Was Twitter actually hacked somehow (and if
so, why only 55k)? Or was 3rd-party software that collected Twitter
credentials hacked? Can 3rd-party software even collect credentials at all or
is OAuth the only authentication flow that works today?

~~~
jchrisa
could be an old list from a 3rd party in the days before Oauth

------
VBprogrammer
Does anyone know the significance of 315475 as a password? I can't immediately
see what would make this so popular.

Unless of course as other people pointed out its just the same person who
registered a large portion of these accounts.

~~~
gkelly
Perhaps because it's fairly easy to type on a number pad?

~~~
dredmorbius
Many numbers are.

Fair point.

------
jayferd
Not quite 55K - lots of these are duplicated as many as 4 times in the
dataset.

    
    
        $ wc -l twitterpw.txt
        58924 twitterpw.txt
        $ sort twitterpw.txt | uniq | wc -l
        36997

------
mikegirouard
> "Unbelievable that Twitter isn’t taking any necessary steps to keep its
> users data safe. Even after encountering a huge number of hacks in the past
> including celebrities account."

I don't think that's very fair.

> "All they need to do is to add a password strength checker during signup
> while changing passwords. And guide the users to create a strong password.
> That could save a lot of users frustration."

Right...

------
cgart
Going through the comments posted here, I wonder why actually nobody speaks
loud an obvious thing: "Why in the hell twitter uses non-obfuscated password?"
I think on of the rule of thumb, when creating a webservice with credentials,
is to store the password in the way in the database, that it cannot be
retrieved. I mean, you usually obfuscate it with some salt and then hash it
afterwards.

Assuming Twitter does this kind of obfuscation, then all the password couldn't
be retrieved from Twitter directly and hence no blaim on Twitter side.

Assuming Twitter does not obfuscate the password, why then nobody mentioning
this? In such a case Twitter made a beginner failure and this should be
somehow pointed out, I think. I just remember the case about one dating-site,
which did that and it was more or less lynched for this by the community.

------
username3
34,068 without duplicates.

------
konceptz
Our comments seem to be geared towards figuring out the mechanism and not the
motive. While this can lead to the greater picture, I wonder if we can make an
assumption.

There were ~55k user:passwd leaked.

And while a large subset may come from specific regions, it's hard to say if
they all do.

But we already have a connection between all accounts, (obviously) they were
all hacked and released together. (Pretty strong connection).

So then the number might allude to an effort of some scale for some unknown
reason.

Currently and besides the legitimate users of the accounts, only one entity
has "taken damage" from this "leak". Twitter

So anyone care to continue this line of thought?

midstreamEdit: NYtimes is saying it's a retaliation hack.

------
Irishsteve
Why 55k? Gotta wonder where those specific accounts came from

------
vjeux
"Unbelievable that Twitter isn’t taking any necessary steps to keep its users
data safe. Even after encountering a huge number of hacks in the past
including celebrities account. All they need to do is to add a password
strength checker during signup while changing passwords. And guide the users
to create a strong password. That could save a lot of users frustration."

If only it was that easy to prevent account stealing.

------
sev
Seems auto-generated. Looking through pastebin, this is what I found just now:
<http://pastebin.com/Rd1GjX9T>

which leads to:

<http://www.twitteraccountcreator.net/services/index.html>

Edit: Why am I being down voted? The links above seem relevant to me.

~~~
pudquick
You are being downvoted because, unlike the pastebin dumps in this article,
the one you found was created by an account named "Planex". The ones in the
article are all "Guest" / anonymous.

The "Planex" account is simply a pastebin spammer. If you visit
<http://pastebin.com/u/Planex> you can see all the things this account has
pastebin'd. Just because they had a spam pastebin related to a Twitter service
does not make it related to the other 5 pages.

------
blackysky
I don't think those are legit accounts because you can clearly see pattern
between passwords usernames and e-mails.....

------
sirwitti
Disregarding whether the accounts are spam accounts or not, I created a little
search tool, to check for user names: <http://twitterleak.martinwittmann.at/>

Maybe this will be helpful for some people.

------
moreati
The passwords in the linked pages look far too random for humans to have
chosen. My guess: either they're a spammer's account list, or this is a hoax.

Edit: There are twitter accounts to match the usernames - the few I checked
were bots. I won't test the passwords.

------
braindead_in
How was this hacked? Passwords where stored in plain text? or were they brute
forced?

------
septerr
I actually don't think this is a good enough reason to force users to use
strong passwords. You may at most warn them, but that is still annoying. If a
user chooses a weak password, it's their choice. They are taking the risk.

------
CakeX
I found one from the List on this Site
<http://www.dazzlepod.com/lulzsec/?page=135> it´s from June 16, 2011 - Maybe
there are more from the Pastebinlist.

------
rev087
There seem to be a lot of randomly generated account names and passwords,
especially in Page 1. For the rest, most of them seem to be from Brazil; just
search for .com.br. Brazilian users also use hotmail.com accounts.

------
danso
Given that, as jaysonelliot already pointed out, most of these passwords seem
auto-generated and are indicative of non-human accounts...then I guess the
source of this leak isn't from a phishing operation.

------
taylorbuley
I haven't done a formal analysis of the password text but by eyeball and guy
these don't really appear to be real people.

The passwords are far too complex based on previous password dumps I've seen.

------
bonzoesc
I'd put money on this being from a backdoored spam tool.

------
chbrown
I can generate random strings in Python too.

Did anyone actually try any of these? None of them work.(Correct me if I'm
wrong -- I didn't try them _all_)

------
16s
What sort of hashes are those?

Edit: Nevermind... they seem to be passwords, not hashes. They look randomish
though. Likely computer generated.

------
josephcooney
As always, amazed at the stupidly simple passwords people use (if, indeed
these ARE real people).

------
btipling
Change your password if you have a Twitter account. Change that password where
ever you use it. They may not have released the full list of passwords they
actually have access to.

I recommend 1password for managing passwords so that issues like this are
easier to manage and so that I do not use the same few passwords everywhere.

~~~
RandallBrown
this isn't a list of passwords they gained by compromising Twitter. This is
(most likely) a list of spam accounts and passwords. It doesn't look like
anything was stolen from anywhere.

------
ZenPsycho
what's the maximum size of these passwords? These look like they were obtained
by a relatively shallow brute force attack, given the weakness of the
passwords.

------
mikemarotti
Any info on how exactly this was accomplished?

------
marcelfahle
these people all have pretty sophisticated passwords. :]

------
sebphfx
I just looked at one of the pages and by looking at the data, it looks like
it's from Brazil. Portuguese names,portuguese passwords. That was the page
with L-O.Not Portugual either, Brazil. So a good sense of observation I have.

------
its_so_on
You can't.

"'The micro blogging platform is aware of this hack and was taking necessary
actions to save those people’s account from malicious activity', said a
Twitter insider."

At first my reaction to the story was "like I give a tweet!" What are they
going to do, tweet something inane? Um... that's kind of the point of the
whole service, isn't it?

But then I remembered the true vulnerability with leaked usernames/passwords:
people use the same ones across sites.

These same people would never change their username/password combo on ANOTHER
site due to prompting ont he Twitter site. They just can't read and follow
directions like that. (If they could they probably wouldn't have the same
username/pd combo).

So, I think that: "'The micro blogging platform is aware of this hack and was
taking necessary actions to save those people’s account from malicious
activity', said a Twitter insider." is asking the impossible.

The only malicious activity is on the users' other, real, non-SMS-length-
message-broadcasting-to-the-whole-world accounts... (email, facebook, etc)

------
hackermom
Seriously, they store passwords in an easily reversible format? Or are these
booster accounts stolen from somewhere else than Twitter's premises?

