Hacker News new | past | comments | ask | show | jobs | submit login
55,000 Twitter passwords leaked (airdemon.net)
242 points by gravitronic on May 8, 2012 | hide | past | favorite | 104 comments

I just did a random sampling of these accounts, and what's interesting is that every one of the twenty accounts I looked at had about 3-6 followers, and was following thousands of people (or it was suspended).

All their bios sound like bot-generated text, they all have suspiciously similar passwords that look auto-generated, and none of them seem to have much to say.

On a hunch, I logged in to a few of those accounts and saw that they all had messages asking them to confirm their email addresses, as they had not done so yet.

This is probably not a "leak," but some spammer's list of fake accounts.

"This is probably not a 'leak,' but some spammer's list of fake accounts."

Ok, since I like to randomly speculate about various facts, consider the following, what if this was a white hat operation? We have seen that folks who uncover botnets are in a weird place because if they take them out they can be accused of violating the CFA but if they leave them in place, the world stays sucky. So what to do? A creative missive to not take them out?

A white hat can 'leak' all of the spam accounts, which engages Twitter's customer relations team, which disables all the accounts because they might be 'compromised' and sends an email to the owner to change their password. Except they are spam accounts and don't have real emails so the emails go into the bit bucket and 55,000 spam accounts go dark. I realize that is a lot of construction.

Why wouldn't they just email twitter explaining how to identify the spammers and including a list?

Well follow that logic a bit, your a social networking company, you get email from person A (who you don't know) saying that user B is a spammer. (or that these 55K accounts are spammers) what do you do?

Well if you do anything automatically then you put yourself at risk for people bullying other legit users by accusing them of spamming. Since real users tweet all sorts of bad things when you accidentally ban them, you want zero false positives, so you have a fairly heavy weight policy.

So if the policy takes an hour per account, reports of 55,000 would be really hard to do. However, if you release the passwords of them into the 'wild' then all Twitter has to do is 'prevent further abuse' which is a password reset and mass mailing.

Again, its pure speculation on this leak, the problems with acting on internet reported abuse is one that I got to see first hand at Google when I was there (people get reported as spammers, accounts get disabled, tempers flare, nobody is happy, it is a really hard problem.)

Said email would become a confession and evidence if Twitter (or a third party that had this list) were to charge the leaker under CFA (or the relevant law in their country). Posting it anonymously has the same effect without exposing the leaker to legal issues.

I googled but cannot find the right CFA. What is it?

Also: Joe Jobs.

Steve's extra-evil twin? Or did you mean "Joe jobs"?

The latter.

Why not just change the passwords yourself then? While you're at it, unfollow all those people.

Because that would be illegal and easier to trace than dumping them publicly. This way Twitter does the work.

It's all illegal but you're right about Twitter doing the work.

I doubt it, but that's a really interesting what-if. If you think about it though, if you're going to auto-generate accounts, wouldn't hard-to-crack passwords be easier to generate than dictionary-based ones?

Many of these accounts are from Brazilians (like me) who use shitty passwords (unlike me). I checked a few of them and they seem legit. I was even able to log into one of the user's hotmail account, it was a real person. Not saying all of them are, but at least a few arent.

>I was even able to log into one of the user's hotmail account, it was a real person.

Why do people do this? Or rather, why do people do this and then admit to it in public forums?

This is unethical and probably illegal.

I sent an email himself saying that his account was hacked, he should change his pwd and I didnt steal anything

It is not that I care or that I think that you did something immoral, IMO you didn't harm anyone but it is still probably illegal (obviously depending on the jurisdiction).

You care a lot

> I logged into a few of those accounts

Unethical and probably illegal. You just admitted to logging into someone else's account without their permission. At the very least you probably violated Twitter's terms.

If I never signed up for a twitter account and only signed into one for the first time using these leaked passwords, I haven't agreed to any terms of service.

Doesn't matter, still illegal.

Depends where you are, US laws don't apply to the whole world

(and even in the US it is much more nuanced. logging in and doing nothing with a public username and password is really in the grey area).

Technically, no. Effectively, yes they do.

The only restriction on US law is how hard we want to push other governments to enforce them.

login to my account: hackernews@mailinator.com:bacon123

is that a crime?

I have a startup idea, show plaintext username and password on my website for every website i registered, and if somebody logged in using them sue them for money. I will give lawyer 50%. profit and vacation. :D

You've given everyone permission so no, it's not a crime.

That silly password is a crime.

Too many brazilian accounts for a spammer list. There is no reason to use UOL/BOL over hotmail/yahoo/etc.

I think this is from a third-party service, back when OAuth was not common, or maybe from a fake service someone created just to steal passwords.. There are many accounts that couldn't possibily be created on twitter:


The large number of Hotmail and Yahoo email addresses used also speaks to the possibility of these being bot generated. I tried logging into a few but got incorrect password messages. I wonder if they have already been reset.


It seems the usernames are quite random as well. So far, not much lost then :)

This is entirely speculation on my part, but maybe this is some insight into how many spam accounts there are on Twitter.

I am fairly worried by the security policy at Twitter.

For example, I have a friend who had his Twitter account hacked. As an experiment, he deactivated the account, but did not change the password. Whoever had the password logged into the hacked account and reactivated it. When he received the email of the reactivation, there was no "If you did not initiate this, click here" option.

edit: formatting

There really ought to be some general rule of account classification in a broad-based public service. My very rough rule of thumb:

10% of accounts are active (daily/weeekly participation)

1% of accounts are "whales" (provide high level to the service).

~15-50% of accounts are some-time users.

~25-50% of accounts are one-time users (registered but never used)

If your service is sufficiently old, call it 5-10 years ...

~25-50% of accounts are expired / no longer reachable (usually the contact email/phone is no longer valid).

Active spammers don't have to be a high level of the service to be disruptive, but can be anywhere from 1-25%, mostly depending on how effective you are at rooting them out.

Very, very rough, and no, I don't have a particularly good basis to back these up other than the first 2-3 values.

Yeah, the passwords are also short strings like 4040. Usually twitter doesn't let you define such unsecure password.

I've made some throwaway accounts for testing, and found that insecure passwords are A-OK for Twitter!

why don't you share the username/password here and we'll see how much sharing we can get away with (let's try not ruin the fun by changing the password...)

wow is this ever unpopular. I didn't mean, "of your account", I meant of "your throwaway twitter account with lax security, to see if twitter minds whether several or dozens of people use one from all different IP's". Or whether, like Google, they even care if people do unusual, suspicious things. Nevermind, I guess!

Interesting, I got what you meant straight away and thought it would be interesting to see what happens too. Shame eh!

There are a few in there like that, but just glancing at it the majority of them are suspiciously uniform. 8 random-looking characters, upper/lower/number.

If this really is a list of spammer accounts, the ones that look like real accounts are probably stolen from legit users to be used for spamming.

I agree - quick sample, search 'safal' in the first pastebin link. It comes up in the username 87 times...

Can you elaborate technically on how you went about this? Thanks!

I checked a few and found exactly the same.

Every single account I checked has constantly retweeted the account @Swagstro[1]. They have 314k followers, but no "Verified Account" tag (which extremely popular users tend to have). I don't mean to point the finger, but it seems like these accounts were used to boost the popularity of said account.

EDIT: They gained 70k followers in the past two days alone[2].

EDIT 2: Their tweets have all disappeared since posting this comment.

CONCLUSION: Automatically generated accounts, profiles, and tweets. These accounts are used for services that provide paid followers and retweets. It's actually pretty interesting stuff if you look at the automatically generated "Twitter Ipsum" that is their profile descriptions and how they randomly pick quotes from famous people to tweet.

[1] https://twitter.com/#!/Swagstro

[2] http://twittercounter.com/Swagstro

Fascinating stuff. I guess the grey ecosystem is evolving on Twitter. A look at his followers - https://twitter.com/#!/Swagstro/followers - implies nearly all are fake just from their descriptions... not the '18 luv sex lol' fake but some sort of algorithmically generated description that seems legit until you compare it with all his other followers. Most are a riff on the following: "Thinker. Writer. Bacon buff. Typical music ninja. Extreme entrepreneur. Web geek. Social media fan. Devoted reader. Subtly charming troublemaker".

Anyone know anything more about this? Are there companies overtly selling followers?

If you look at who that account is following, there seems to be a whole network of people using accounts with names close to (or impersonating) celebrities who all re-tweet each other and promise "10 follow-backs for each follow" and "if you follow <random> I'll follow you" etc.

Looks like either some kind of weird social hack/club or I don't know what..

This account has close to 1M followers, and appears to be in that same network or loop of spammy follower-harvesting group..


Actually, that account looks pretty legit (in the sense that it's not 100% bot generated).

Look at Swagstro's follower list [1], and Cmd/Ctrl-F for "holic", "fanatic", "introvert", "bacon", "wannabe". Almost all of the accounts are simply randomly generating the Lorem Ipsum of Twitter descriptions.

[1] https://twitter.com/#!/Swagstro/followers

This makes me wonder if Twitter is ever going to crack down on these spam accounts, or put in place some preventive measures. Right now it's really encouraging for spammers to create these accounts and sell their services. There's still lots of room for improvement in these bot accounts, currently they're still too easy to detect.

@Swagstro is following 65 people. The first user @Swagstro follows is @Rene (with 918k followers!).

Some big weekly jumps in March (~50k) and April (~30k).

Magic SEO? Or the next JB? Something to do with clothing?

The domain "swagst.ro" is currently available for US$37 per year...

[1] https://twitter.com/#!/Rene (Verified Twitter Account)

[2] http://twittercounter.com/compare/Rene/3month/followers

I disagree that the all or even most of the passwords are randomly chosen, there's too little entropy for it to be a pseudo random system, and too much for it to be a simple algorithm based on the username. I'd bet the percentage of the accounts here that are spammers reflects the same percentage as the overall site, and is probably shockingly high.


... natymattyoly_souza@hotmail.com:123456789321 < probably guessed numbers until the system said it wasn't "too obvious"


anderson_andimdim@hotmail.com:159753100 < physical numpad pattern, "X" + 100


danielmarianosantana@hotmail.com:euamominhamae < "i love my mom" in portuguese... Twitter blocks "iloveyou" as it's a really common password, but this seems similar






There are many others that may be autogenerated, but I think we can rule out the idea that most or all of them are. The common patterns are probably just because humans are bad at this "make up a secret that no one else makes up" game.

no need to post the full details here, please redact the mail addresses.

For the curious:

    curl http://pastebin.com/raw.php?i=Kc9ng18h > twitterpw.txt
    curl http://pastebin.com/raw.php?i=vCMndK2L >> twitterpw.txt
    curl http://pastebin.com/raw.php?i=JdQkuYwG >> twitterpw.txt
    curl http://pastebin.com/raw.php?i=fw43srjY >> twitterpw.txt
    curl http://pastebin.com/raw.php?i=jv4LBjPX >> twitterpw.txt

Or (bash/zsh):

     curl "http://pastebin.com/raw.php?i={Kc9ng18h,vCMndK2L,JdQkuYwG,fw43srjY,jv4LBjPX}" > twitterpw.txt
Then: $ wc -l twitterpw.txt 58978 twitterpw.txt $ sort -u twitterpw.txt | wc -l 37001

Lots of dupes in there.

    curl "http://pastebin.com/raw.php?i={Kc9ng18h,vCMndK2L,JdQkuYwG,fw43srjY,jv4LBjPX}" | sort -u > twitterpw.txt

Sure, but that doesn't tell you how many dupes were in the original list (unless you were to separately keep a linecount). Hrm ... does pv let you do that?

Hrm ... No, but process substitution does:

    curl "http://pastebin.com/raw.php?i={Kc9ng18h,vCMndK2L,JdQkuYwG,fw43srjY,jv4LBjPX}" | tee >(sort -u >twitterpw.txt) | wc -l
    [1/5]: http://pastebin.com/raw.php?i=Kc9ng18h --> <stdout>
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100  261k    0  261k    0     0   788k      0 --:--:-- --:--:-- --:--:--  953k
    [2/5]: http://pastebin.com/raw.php?i=vCMndK2L --> <stdout>
    100  434k    0  434k    0     0  1630k      0 --:--:-- --:--:-- --:--:-- 1630k
    [3/5]: http://pastebin.com/raw.php?i=JdQkuYwG --> <stdout>
    100  349k    0  349k    0     0  1526k      0 --:--:-- --:--:-- --:--:-- 7441k
    [4/5]: http://pastebin.com/raw.php?i=fw43srjY --> <stdout>
    100  367k    0  367k    0     0   897k      0 --:--:-- --:--:-- --:--:--  897k
    [5/5]: http://pastebin.com/raw.php?i=jv4LBjPX --> <stdout>
    100  291k    0  291k    0     0  1638k      0 --:--:-- --:--:-- --:--:-- 1638k
And what did we actually output?

    $ wc -l twitterpw.txt 
    37001 twitterpw.txt

For the optimizers:

  for k in Kc9ng18h vCMndK2L JdQkuYwG fw43srjY jv4LBjPX; do curl http://pastebin.com/raw.php?i=$k >> twitterpw.txt; done

I took a sample of 34k. I may have had some files that didn't download fully[1]. I was only interested in picking out some trends.

66 - No password (ie null)

580 - had the password "315475"

492 - had password "123456"

187 - had password "123456789"

68 - had password "102030"

62 - had password "123"

52 - had password "12345"

44 - had password "1234"

29 - had password "101010"

35% were numeric/number only passwords. There were many that were a variation of 123...

The rest appear to be a mixture but first names are popular. I haven't tried, but would assume many of these would be the same passwords for the registered email (username).

The day someone comes up with an alternative to passwords it will be a great day!

Edit: [1] 34k unique accounts, I must have deleted duplicate usernames/accounts.

What's the significance of "315475" as a password?

I think it might relate to some "mass follower" script

See this forum thread: http://psx-scene.com/forums/f195/twitter-1200-follwer-hack-v... which links to this pastebin page which contains a bunch of users all with that password http://pastebin.com/0hcDigvU

It's a rather pleasant shade of blue, and a Syracuse, NY telephone exchange. Other than that, no significance I can gather. May well be an arbitrarily chosen random number.

http://www.colorhexa.com/315475 http://xkcd.com/221/

All of these accounts were not email address usernames - ie had no @xxxx

So maybe random generated by twitter or spam accounts?

Edit: Appear to be closed or suspended accounts.

Fits the known pattern of password frequency, people don't care much despite all the warnings. http://www.troyhunt.com/2011/03/only-secure-password-is-one-...

(posted this on HN after seeing it on an RSS feed)

Definitely looks like it was a large-scale spam operation that was hacked and not twitter itself.

I just edited the title to try to reflect the lesser impact of the leak.

MANY of the accounts fit that pattern. A large number have the same seemingly random 6-digit numeric password. Another large number have exactly 8 characters of pseudo-random alphanumerics.

But many of them have exactly the kind of password you would expect humans to have. Maybe those were accounts that were stolen (phished?) and added to the spam operation, but they certainly seem like human-generated (i.e. mostly bad, but more importantly, without an obvious pattern) passwords to me.

Something I haven't seemed mentioned, but this makes a BIG difference for the following reason (among others):

If this was twitter that got hacked, it implies that they're storing passwords in plain text.

That news is or should be a Big Deal.

Almost all the passwords are 8 character alphanumeric. It would mean they aren't salting, but it's within the range of md5 rainbow tables.

Doing a quick analysis.

58978 accounts listed, 34064 unique account/passwords

25069 accounts by email 8995 accounts by usernames

Most accounts by email:

hotmail.com @ 15598

yahoo.com.br @ 2375

gmail.com @ 2148

bol.com.br @ 1031

uol.com.br @ 695

A lot of misspellings for domain names.

is it just me, or do the vast majority of the passwords appear to be the default randomly generated passwords? How many of these accounts are even active?

I also see a lot of randomly generated accounts, but a lot of legitimate ones as well. I think the big chunks of similar looking accounts were created by spambots.

Yeah, I'm seeing alot of randomly generated numbers as passwords -- is that the twitter default?

Any idea where these came from? Was Twitter actually hacked somehow (and if so, why only 55k)? Or was 3rd-party software that collected Twitter credentials hacked? Can 3rd-party software even collect credentials at all or is OAuth the only authentication flow that works today?

could be an old list from a 3rd party in the days before Oauth

Does anyone know the significance of 315475 as a password? I can't immediately see what would make this so popular.

Unless of course as other people pointed out its just the same person who registered a large portion of these accounts.

Perhaps because it's fairly easy to type on a number pad?

Many numbers are.

Fair point.

Not quite 55K - lots of these are duplicated as many as 4 times in the dataset.

    $ wc -l twitterpw.txt
    58924 twitterpw.txt
    $ sort twitterpw.txt | uniq | wc -l

> "Unbelievable that Twitter isn’t taking any necessary steps to keep its users data safe. Even after encountering a huge number of hacks in the past including celebrities account."

I don't think that's very fair.

> "All they need to do is to add a password strength checker during signup while changing passwords. And guide the users to create a strong password. That could save a lot of users frustration."


Going through the comments posted here, I wonder why actually nobody speaks loud an obvious thing: "Why in the hell twitter uses non-obfuscated password?" I think on of the rule of thumb, when creating a webservice with credentials, is to store the password in the way in the database, that it cannot be retrieved. I mean, you usually obfuscate it with some salt and then hash it afterwards.

Assuming Twitter does this kind of obfuscation, then all the password couldn't be retrieved from Twitter directly and hence no blaim on Twitter side.

Assuming Twitter does not obfuscate the password, why then nobody mentioning this? In such a case Twitter made a beginner failure and this should be somehow pointed out, I think. I just remember the case about one dating-site, which did that and it was more or less lynched for this by the community.

34,068 without duplicates.

Our comments seem to be geared towards figuring out the mechanism and not the motive. While this can lead to the greater picture, I wonder if we can make an assumption.

There were ~55k user:passwd leaked.

And while a large subset may come from specific regions, it's hard to say if they all do.

But we already have a connection between all accounts, (obviously) they were all hacked and released together. (Pretty strong connection).

So then the number might allude to an effort of some scale for some unknown reason.

Currently and besides the legitimate users of the accounts, only one entity has "taken damage" from this "leak". Twitter

So anyone care to continue this line of thought?

midstreamEdit: NYtimes is saying it's a retaliation hack.

Why 55k? Gotta wonder where those specific accounts came from

"Unbelievable that Twitter isn’t taking any necessary steps to keep its users data safe. Even after encountering a huge number of hacks in the past including celebrities account. All they need to do is to add a password strength checker during signup while changing passwords. And guide the users to create a strong password. That could save a lot of users frustration."

If only it was that easy to prevent account stealing.

Seems auto-generated. Looking through pastebin, this is what I found just now: http://pastebin.com/Rd1GjX9T

which leads to:


Edit: Why am I being down voted? The links above seem relevant to me.

You are being downvoted because, unlike the pastebin dumps in this article, the one you found was created by an account named "Planex". The ones in the article are all "Guest" / anonymous.

The "Planex" account is simply a pastebin spammer. If you visit http://pastebin.com/u/Planex you can see all the things this account has pastebin'd. Just because they had a spam pastebin related to a Twitter service does not make it related to the other 5 pages.

I don't think those are legit accounts because you can clearly see pattern between passwords usernames and e-mails.....

Disregarding whether the accounts are spam accounts or not, I created a little search tool, to check for user names: http://twitterleak.martinwittmann.at/

Maybe this will be helpful for some people.

The passwords in the linked pages look far too random for humans to have chosen. My guess: either they're a spammer's account list, or this is a hoax.

Edit: There are twitter accounts to match the usernames - the few I checked were bots. I won't test the passwords.

How was this hacked? Passwords where stored in plain text? or were they brute forced?

I actually don't think this is a good enough reason to force users to use strong passwords. You may at most warn them, but that is still annoying. If a user chooses a weak password, it's their choice. They are taking the risk.

I found one from the List on this Site http://www.dazzlepod.com/lulzsec/?page=135 it´s from June 16, 2011 - Maybe there are more from the Pastebinlist.

There seem to be a lot of randomly generated account names and passwords, especially in Page 1. For the rest, most of them seem to be from Brazil; just search for .com.br. Brazilian users also use hotmail.com accounts.

Given that, as jaysonelliot already pointed out, most of these passwords seem auto-generated and are indicative of non-human accounts...then I guess the source of this leak isn't from a phishing operation.

I haven't done a formal analysis of the password text but by eyeball and guy these don't really appear to be real people.

The passwords are far too complex based on previous password dumps I've seen.

I'd put money on this being from a backdoored spam tool.

I can generate random strings in Python too.

Did anyone actually try any of these? None of them work.(Correct me if I'm wrong -- I didn't try them _all_)

What sort of hashes are those?

Edit: Nevermind... they seem to be passwords, not hashes. They look randomish though. Likely computer generated.

As always, amazed at the stupidly simple passwords people use (if, indeed these ARE real people).

Change your password if you have a Twitter account. Change that password where ever you use it. They may not have released the full list of passwords they actually have access to.

I recommend 1password for managing passwords so that issues like this are easier to manage and so that I do not use the same few passwords everywhere.

this isn't a list of passwords they gained by compromising Twitter. This is (most likely) a list of spam accounts and passwords. It doesn't look like anything was stolen from anywhere.

what's the maximum size of these passwords? These look like they were obtained by a relatively shallow brute force attack, given the weakness of the passwords.

Any info on how exactly this was accomplished?

these people all have pretty sophisticated passwords. :]

I just looked at one of the pages and by looking at the data, it looks like it's from Brazil. Portuguese names,portuguese passwords. That was the page with L-O.Not Portugual either, Brazil. So a good sense of observation I have.

You can't.

"'The micro blogging platform is aware of this hack and was taking necessary actions to save those people’s account from malicious activity', said a Twitter insider."

At first my reaction to the story was "like I give a tweet!" What are they going to do, tweet something inane? Um... that's kind of the point of the whole service, isn't it?

But then I remembered the true vulnerability with leaked usernames/passwords: people use the same ones across sites.

These same people would never change their username/password combo on ANOTHER site due to prompting ont he Twitter site. They just can't read and follow directions like that. (If they could they probably wouldn't have the same username/pd combo).

So, I think that: "'The micro blogging platform is aware of this hack and was taking necessary actions to save those people’s account from malicious activity', said a Twitter insider." is asking the impossible.

The only malicious activity is on the users' other, real, non-SMS-length-message-broadcasting-to-the-whole-world accounts... (email, facebook, etc)

Seriously, they store passwords in an easily reversible format? Or are these booster accounts stolen from somewhere else than Twitter's premises?

Applications are open for YC Winter 2021

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact