
Twitter Hacked – 250,000 User Accounts Potentially Compromised - kmfrk
http://allthingsd.com/20130201/twitter-hacked-250000-user-accounts-compromised/
======
dewitt
This is the text of the message I received (once for each account, all created
back around the same time January 2007):

    
    
      Hi, dewitt
    
      Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account.
    
      You'll need to create a new password for your Twitter account. You can select a new password at this link: ***
    
      As always, you can also request a new password from our password-resend page: https://twitter.com/account/resend_password
    
      Please don't reuse your old password and be sure to choose a strong password (such as one with a combination of letters, numbers, and symbols).
    
      In general, be sure to:
    
      Always check that your browser's address bar is on a https://twitter.com website before entering your password. Phishing sites often look just like Twitter, so check the URL before entering your login information!
      Avoid using websites or services that promise to get you lots of followers. These sites have been known to send spam updates and damage user accounts.
      Review your approved connections on your Applications page at https://twitter.com/settings/applications. If you see any applications that you don't recognize, click the Revoke Access button.
      For more information, visit our help page for hacked or compromised accounts.
    
      The Twitter Team 
    

Best of luck to the security and support teams. Days like these are not fun at
all.

~~~
dewitt
And for people trying to puzzle out who was impacted, several these accounts
(all with random strings for passwords, btw) were barely ever used at all,
often not for several years. The only thing they had in common was their early
creation date, and hence relatively low user ids. My guess is that the hackers
simply scanned user ids starting from 1 and worked their way up.

~~~
timdorr
Are there big gaps in the early user ids? I'm 4145801 and received this
message.

~~~
nevster
Yeah - I'd say there are big gaps. I'm 1577581 and got the email. You can
check people's join dates here <http://www.whendidyoujointwitter.com/>

~~~
lacerus
Thanks! I'm 793689, joined 25 February 2007, and got the e-mail.

------
0x0
Official blogpost: [http://blog.twitter.com/2013/02/keeping-our-users-
secure.htm...](http://blog.twitter.com/2013/02/keeping-our-users-secure.html)

Edit: I wonder if the bad guys were able to access private Direct Messages,
too. There's always talk about resetting passwords, but nobody ever mentions
all the other confidential data that might be pastebin'ed later.

~~~
nemothekid

        This attack was not the work of amateurs, and we 
        do not believe it was an isolated incident. The 
        attackers were extremely sophisticated, and we 
        believe other companies and organizations have 
        also been recently similarly attacked.
    

Anyone have any clue what the possible motives behind this could be? My best
guess is someone is trying to mine for private data that may have been sent
over DM (Maybe Obama is sending nuke launch codes over DM). Other than that
twitter's data is mostly public and I don't see the benefit of carrying out
such an attack to simply impersonate Justin Bieber on Twitter. I also don't
suspect Twitter to be the type of company that would leave their passwords
easily crackable either. Doesn't make sense that were mining for valid emails
either, there are cheaper ways of getting access to those.

~~~
taligent
Nobody hacks Twitter just to get valid emails or impersonate someone. That's
ridiculous.

Pretty clearly this was the work of governments e.g. China, Iran who are
trying to find out more about political dissidents or the sources of leaks.
They are the only ones who would use lucrative exploits against Twitter, NYT,
WSJ etc.

~~~
nemothekid
So to make this clear, the best guess is these attacks are being done by
governments in an effort to find out who is leaking data to Twitter, NYT, etc?

Pretty interesting if you ask me, is it likely the use would sick the best
hackers at the NSA if top secret information was being leaked on the bizzaro
world's Chinese Twitter? It almost sounds like the prologue to the worlds
first CyberWar.

~~~
0x0
To reiterate what I've been posting elsewhere, I'm sure there is a lot of
compromising material in the Direct Messages of certain well-picked accounts,
for a wide range of motives.

------
madsushi
> usernames, email addresses, session tokens and encrypted/salted versions of
> passwords

Wow, finally a breach where the hackers DIDN'T make off with all of our
passwords in plain-text. Kudos to Twitter for actually handling passwords
properly, considering the eventuality that all websites are vulnerable to
attack.

~~~
josephscott
I would feel better if I new how they handled passwords. Hopefully it is a
hash and not encrypted. And hopefully that hash method is bcrypt (or something
similarly painful to crack).

~~~
riffraff
my first thought when reading the mail was exactly this: oh nice, salted and
hashed but _how_?

I remember a time when many people assumed md5("notreallysalt"+password) was a
good practice, and twitter is old.

------
ianstormtaylor
I really don't like how they decided to release this on a friday afternoon. I
know exactly why they did it, and why it is a smart PR move but it also means
two things:

\- People's accounts might have been compromised earlier "this week" and they
could have used that extra warning time to make sure the damage didn't spread
to their other online accounts.

\- People who might have been compromised are now less likely to see the
announcement, so if anything is compromised there's less chance they will
react to mitigate damages.

Great for PR, horrible for their users.

~~~
seldo
There is another possibility, which is that they didn't work out what was
going on until Thursday.

And anyone whose account has been compromised has _received an email_ , a far
more likely way of seeing the message than relying on everybody to
occasionally check Twitter's blog for news.

~~~
bradleyland
The official Twitter release was titled "Keeping our users secure". My gut
response after reading the first couple of paragraphs was, "Are you fucking
kidding me?" That title, combined with the day/time of release really has the
cynic in me riled up.

EDIT: It'd be great if anyone willing to downvote would explain why it's OK
for Twitter to title a notice involving a breach of security resulting in the
exposure of 250,000 records containing sensitive information, "Keeping our
users secure". Because it really kind of pisses me off when I read it.

EDIT, EDIT: Highest karma volatility (up, down, up, up down, etc) of any
comment I've ever posted on Hacker News. I really am genuinely interested in
counter points.

~~~
hamburglar
Settle down. "Keeping our users secure," just means "There was a problem, and
here is what we have done to mitigate it." You have correctly observed that
they chose, in their announcement, to downplay the breach and focus on what
steps they've done to address it. What did you expect?

Let's all take a deep breath and remember: It's. Just. Twitter.

~~~
bradleyland
It doesn't really matter to me who the message comes from. When did the truth
cease to matter? I'm not naive. I recognize that this kind of thing happens
all over the place, but that's exactly why I get so frustrated at this type of
communication, and frankly, at your response. If your attitude becomes, "Oh
well, it's just Twitter, so the dishonesty doesn't matter," then we can only
expect more of the same. Everyone around Twitter will watch as they perpetrate
falsehoods in communication, and they will follow suit.

~~~
hamburglar
It's not that "dishonesty doesn't matter" it's that you really shouldn't
expect a company to go out of its way to call attention to its own screwup.
They only want to bring this to the attention of people who need to know for
security reasons, and they directly emailed all of those people. The sole
purpose of the blog post was "oh, in case you heard about a security breach,
you'll be happy to know that we've mitigated the problem. Aren't we doing
great?" Even if you think the answer is "no," there is really nothing
dishonest there.

------
jtokoph
I'm guessing they got a non-anonymized mini dump of the database for local
development. An engineer may have had a small subset of data on his local
machine.

~~~
0x0
That actually sounds very likely!

------
bengillies
Salted and hashed passwords? Companies emailing affected users? What is this
the future?

~~~
martinced
Companies that do not allow remote attackers to gain access to their DB?

Not that I disagree with you but it's not exactly as if Twitter was a role-
model of security on this one...

~~~
KMag
I was an engineer at Google when the Aurora attacks happened. Until we know
more about the attackers and how it was pulled off, we don't know if this was
amateur hour security, or if Twitter was facing an Advanced Persistent Threat
with multiple 0days and custom malware.

Google used a combination of kerberos, SSH public key auth, client-side SSL
certs, and a custom crypto system called Low Overhead Authentication System
(LOAS), all of which utilize zero-knowledge proofs rather than sending
passwords to the server. Google still got compromised, using a (0day?) Adobe
Reader exploit sent via impersonating a co-worker on AIM or MSN Messenger (as
I remember).

Let's leave the jury out on this one until we find out what happened.

~~~
mikegioia
That's insane. Is there a write-up about the security behind that Google
server configuration?

~~~
KMag
I'm not aware of any such public documentation. Given the sorts of highly
capable threats Google is up against, I imagine they want to do everything in
their power to slow down attackers.

Also, they don't even allow the codenames of various parts of their
infrastructure to be leaked, much less how the parts relate and how they're
protected.

I'd really like to see LOAS open-sourced. I imagine that, like Kerberos, it's
based on Needham-Schroeder, but I've never seen its source code or any design
documentation.

------
lhl
One discussion I didn't see in the earlier NYT hack discussion
(<http://news.ycombinator.com/item?id=5143046>) was what current best
practices/readily available tools are for containing/detecting attacks, from
the perspective of running a corp network/startup service, and as an end-user
when faced w/ APT-level attacks?

For those deep in the trenches, is there a good resource for getting started
for those technically inclined/interested in learning more? Presumably there
are basic things like proper firewalls and MFA, but also more advanced things
like pattern/anomaly detecting IDS's or traffic monitoring tools?

On the user side, are there smarter ways for detecting when your system is RAT
infested (seems like a IDS running on your laptop should be able to notify you
if you're system is sending out a new VNC/IRC connection...)

Back when I was more into system/network security, the open source tools
(Tripwire, AIDE, Snort) were all ... rather manual/labor intensive. Have
things evolved as the sheer amount of attacks/attack vectors have increased?

------
wallywax
Hmm. Perhaps that explains why I got an email from them saying my account was
compromised. Specifically, it said "Twitter believes that your account may
have been compromised by a website or service not associated with Twitter.
We've reset your password to prevent others from accessing your account." It
then went on to imply that I was phished, which is extremely unlikely (not
only am I incredibly paranoid about that kind of thing, but I haven't actually
entered my Twitter password on any website in a long time. I just use the
mobile app on my phone.)

~~~
wiredfool
Me too, and I've never attached an app to twitter. (I've got an account that I
basically have signed into 3 or 4 times in 5 years). I'm curious why my
username came up as being compromised, unless they're doing something sneaky
about updating all passwords older than x yrs old.

edit: The attacker got salted password hashes. That explains it.

~~~
0x0
Maybe they stopped the hackers in the middle of dumping the database and they
only got away with the earliest accounts created.

~~~
taligent
Or more likely the database is sharded and they just compromised those
physical machines.

~~~
0x0
That sounds odd, 250k out of 500m sounds like way too little data for even a
single shard, no? And why would only a single shard be vulnerable?

------
akkartik
I wonder if this is related to the Rails YAML issues
(<https://news.ycombinator.com/item?id=5145397>)

~~~
upthepunx
The way these things have been going (client-side vulnerability exploitation),
I would suspect that the exploited vulnerabilities were closer to the laptops
of Twitter employees than the Twitter application itself.

The blog post mentions turning off Java in your browser, which could be a clue
to the attack vector Twitter suffered, and it's written by someone from
"Information Security" rather than someone from Application Security.

~~~
0x0
Great point. I'm sure it's easier to compromise a developer or sysadmin and
use that to jump onto the production system, rather than going straight at the
main app.

~~~
taligent
Issue is that you don't know which of the tens of thousands of internal IP
addresses would correspond to the one or two sysadmins who would have
production access.

Which means either the production servers were hacked or there was a
widespread compromise of their internal network and systems e.g. email, IM.

~~~
0x0
I'm sure more than 2 people at twitter have production access.

And identifying the senior staff isn't probably that hard, they probably have
quite visible twitter accounts.

As someone mentioned in a completely different thread, it'd be enough to have
a vulnerable rails running on localhost:3000 on your laptop and "accidentally"
being hit with a CSRF, for example.

Get a shell on some staffers laptop and stay dormant, I'm sure you'll catch a
live ssh session soon enough [with access to that ssh client's process memory]
(in fact you'd get quite far just with a copy of the id_rsa + known_hosts
files)

~~~
mikegioia
Yea you really only need the contents of ~/.ssh and you could access every
server the laptop could.

Even if they didn't have production access, a lot of times servers are
configured to easily hop from one to another. They could have connected to a
development server and then just hopped to the DB server with the accounts it
seems they were looking for.

~~~
knweiss
That's why you should use ssh-agent and protect your private key with a
passphrase.

~~~
0x0
It's useful, but if an attacker got a shell on the dev laptop, I assume he
could just coredump the ssh-agent process and steal the unlocked key from
there.

------
tlrobinson
I’m collecting Twitter IDs that were hacked to determine if there is a
pattern, please contribute:
[https://docs.google.com/forms/d/1vCRluBxNGlMs9WFh1bFtOfLYqrD...](https://docs.google.com/forms/d/1vCRluBxNGlMs9WFh1bFtOfLYqrD8P-i9vMMESeQlIgo/viewform)

Here's the results:
[https://docs.google.com/spreadsheet/oimg?key=0AmwLhnBvBBD7dF...](https://docs.google.com/spreadsheet/oimg?key=0AmwLhnBvBBD7dFhCMHhPYkNWNkI4QnVoTy1iYzZacHc&oid=3&zx=2a05mise2vuf)

------
thezilch
Of course, that potentially means that 250,000 user accounts were also
compromised on Facebook, Pinterest, Instagram, GMail, Yahoo Mail, Hotmail, et
al. If you aren't using a different password for every service or are using
only a derivative of a master password (eg. hunter2@twitter, hunter2@gmail,
etc), CHANGE YOUR PASSWORD on all services using the same email address (or
derivatives) as your Twitter account. Setup 1Password.

~~~
mosburger
And while you're at it, setup two-factor authentication on your Google
account. It's a PITA, but much less of a pain than trying to get your account
back.

~~~
sabat
You know, I've had this going on all four of my Gmail/Google accounts (!) for
well over a year now, and I still think it's totally worth it. It's not really
a pain, and I can sleep better because of it.

~~~
tlrobinson
Yeah, I used to think it was a pain, but once I realized my email is a single
point of failure it was completely worth it.

------
rasengan0
Did any one get any stranger followers before or after the twitter
warning/password reset?

Not sure if this is a coincidence but i got a follower at 3am today then the
twitter warning. the follower is legit but i can't make a connection/context
as to why they would follow me. After i did a pswd reset i get another
follower who i known for years in business but now wonder if these
coincidences are related. this all reminds me of that twilight zone episode on
Maple St where the aliens fiddle with the lights and the whole town goes
paranoid bonkers :-)

------
dpweb
They need to make public the details. How was it done? They left that out of
the announcement. You guys know better public disclose of hacking techniques
prepares much less tech savvy (about everyone) that twitter website operators
can prepare and protect themselves.

Please consider signing.. [https://www.change.org/petitions/twitter-com-
release-the-det...](https://www.change.org/petitions/twitter-com-release-the-
details-of-how-your-systems-were-compromised-hacked#share)

------
JuDue
There is a hack/virus where your account gets hijacked and messages are sent
to your contacts with wording like "I found this pic of you" or "and
embarrassing photo of you!"... and anyone who clicks is themselves hacked.

Thing is... this spammy virus has been around for a WHOLE YEAR

It's AMAZING Twitter hasn't analysed those messages by now and worked out a
way to detect them

Especially because the account spams rapidly until you reach your message
limit.....

WTF Twitter?!

------
rdl
Why the fuck is it 2013 and Twitter doesn't support two factor auth?

~~~
bo1024
I assume if they did then it would only be the accounts who don't use it who
were compromised? I.e. probably about 245,000 accounts.

~~~
rdl
Yes, but the important accounts would be more likely to use it, as well as
those more likely to be targets.

------
abadidea
I made a spreadsheet of 53 victims I found. It seems the defining trait is
that the account was opened in 2007. There was like one or two from 2006 and
one from 2012 but that one may be spurious. Also, almost everyone on the list
unambiguously owns an iPhone, but that may just be a coincidence owing to
popularity and my sample being inherently weighted to English-speakers. Only
found one non-English user I was confident was saying they got the email.

[https://docs.google.com/spreadsheet/ccc?key=0AmIfHssIKuJgdFF...](https://docs.google.com/spreadsheet/ccc?key=0AmIfHssIKuJgdFFEbC14dDdOOWZQcHlKbWI3dHpNQmc#gid=0)

If anyone wants to take those usernames and write their own script to divine
some knowledge from the API, feel free

------
gfosco
Performing a "forced-reset" on waves of accounts is a pretty effective way of
eliminating 'anonymous' accounts no longer linked to a valid email. I bet a
decent number of users were permanently locked out of their accounts.

------
joelthelion
Time to advocate for a truly decentralized version of Twitter :)

~~~
ajanuary
Not that I'm against a decentralised Twitter, but wouldn't that increase the
attack vector?

~~~
joelthelion
If you have many different implementations running on thousands of different
servers, it makes taking down the whole thing much more difficult.

------
pauldavis
I have a mid-four-digit user name and I have received three emails in the last
24 hours from Twitter telling me that my password has been reset. Disturbing.

------
bo1024
It would be nice to know how well-protected the passwords were. (Were the
salts also accessed? How were the passwords hashed?)

------
tlrobinson
No reset requests for me on the following account numbers:

    
    
        142060xx
        871300xx
        926735xx
        1059356xx
        1123682xx
        1889149xx
        2307901xx
        8364203xx
        9024384xx
    

I had no idea I had so many accounts until I searched my email.

------
Adaptive
I received this same mail earlier. Very glad that I have a policy of strong
random passwords for each site. Not affiliated with them other than being a
user, but I recommend Lastpass + Yubikey for two factor (you can Google Auth
as well with Lastpass).

------
pbhjpbhj
Hmm, I saw this story, changed my account password(s). Then I noticed that I'd
already had the email.

The email said that the password had been reset (as in dewitt's post) but I'd
just logged in - after the claimed reset - with the old credentials.

That's kinda worrying.

~~~
dserodio
Both my Mac and Android twitter clients are still logged in, and in the e-mail
they said that session tickets had been invalidated...

~~~
dchest
These clients use a different authentication mechanism. Looks like
authentication tokens for clients weren't leaked.

------
tanepiper
I'm a Nov 2006 account and I just got the email - since then I have reset my
password to be particularly strong - but it seems it's forcing me to do it
again (not that I mind, I use a very strong password stored in LastPass)

------
slig
Who is telling the truth?

From the email I just got from them:

> Twitter believes that your account may have been compromised by a website or
> service not associated with Twitter. We've reset your password to prevent
> others from accessing your account.

~~~
alanh
Sounds like a coincidence, to me

------
baconhigh
I notice the tweetdeck web (and therefore client) ssl cert has just been
revoked...

<https://pbs.twimg.com/media/BCJ8yC_CcAAHZlJ.png:large>

------
bradly
Very concerning that while my session was terminated in my browser my iPhone
and iPad apps are still authenticated. Shouldn't those sessions have been
invalidated too?

~~~
fredoliveira
most apps use xAuth, which means your password isn't sent down the wire except
for the very first time you authenticate.

~~~
nikcub
I still killed all my oauth tokens, since they can be replayed

------
tmsh
Everything needs to shift to MFA...

<http://news.ycombinator.com/item?id=5149023>

------
artursapek
Hahah, Jack Dorsey was speaking at my school today. Can't have helped his
stage confidence to have this on his mind.

------
baconhigh
yeap, just got one too. my id is around the 19000s..

Of note, the apps I have allowed access to my account are:

tweetdeck, twitter for android/OSX and instagram.

(if that helps any diagnosis of potential attack vectors)

------
ForFreedom
My account also got hacked, got an email from Twitter.

------
ehtisham
They should've been salted and hashed !

~~~
radq
The passwords were, apparently.

“However, our investigation has thus far indicated that the attackers may have
had access to limited user information – usernames, email addresses, session
tokens and _encrypted/salted versions of passwords_ – for approximately
250,000 users.”

------
xkiwi
Ruby on Rails, Java, ?=> Twitter.

------
jaequery
wonder if it's that notorious ruby/YAML hack

------
kzahel
My bet is Chinese govt sponsored hackterrorism

~~~
alanh
Downvoted your guess because you didn’t even cite the recent trend (which is
mentioned in the article) of reported Chinese hackings, and you contribute
nothing.

------
michaelhoffman
"[W]e encourage all users to take this opportunity to ensure that they are
following good password hygiene..."

Wow, that's so insulting. How about you just do your job instead?

~~~
talaketu
Wow, poor precious. Are you likewise insulted when the bank tells you not to
keep a written note of your PIN with your card? As obvious as it is to you to
ensure good password hygiene, it should be obvious that Twitter has a clear
interest in encouraging less informed users doing the same.

