Hacker News new | comments | show | ask | jobs | submit login

I just did a random sampling of these accounts, and what's interesting is that every one of the twenty accounts I looked at had about 3-6 followers, and was following thousands of people (or it was suspended).

All their bios sound like bot-generated text, they all have suspiciously similar passwords that look auto-generated, and none of them seem to have much to say.

On a hunch, I logged in to a few of those accounts and saw that they all had messages asking them to confirm their email addresses, as they had not done so yet.

This is probably not a "leak," but some spammer's list of fake accounts.

"This is probably not a 'leak,' but some spammer's list of fake accounts."

Ok, since I like to randomly speculate about various facts, consider the following, what if this was a white hat operation? We have seen that folks who uncover botnets are in a weird place because if they take them out they can be accused of violating the CFA but if they leave them in place, the world stays sucky. So what to do? A creative missive to not take them out?

A white hat can 'leak' all of the spam accounts, which engages Twitter's customer relations team, which disables all the accounts because they might be 'compromised' and sends an email to the owner to change their password. Except they are spam accounts and don't have real emails so the emails go into the bit bucket and 55,000 spam accounts go dark. I realize that is a lot of construction.

Why wouldn't they just email twitter explaining how to identify the spammers and including a list?

Well follow that logic a bit, your a social networking company, you get email from person A (who you don't know) saying that user B is a spammer. (or that these 55K accounts are spammers) what do you do?

Well if you do anything automatically then you put yourself at risk for people bullying other legit users by accusing them of spamming. Since real users tweet all sorts of bad things when you accidentally ban them, you want zero false positives, so you have a fairly heavy weight policy.

So if the policy takes an hour per account, reports of 55,000 would be really hard to do. However, if you release the passwords of them into the 'wild' then all Twitter has to do is 'prevent further abuse' which is a password reset and mass mailing.

Again, its pure speculation on this leak, the problems with acting on internet reported abuse is one that I got to see first hand at Google when I was there (people get reported as spammers, accounts get disabled, tempers flare, nobody is happy, it is a really hard problem.)

Said email would become a confession and evidence if Twitter (or a third party that had this list) were to charge the leaker under CFA (or the relevant law in their country). Posting it anonymously has the same effect without exposing the leaker to legal issues.

I googled but cannot find the right CFA. What is it?

Also: Joe Jobs.

Steve's extra-evil twin? Or did you mean "Joe jobs"?

The latter.

Why not just change the passwords yourself then? While you're at it, unfollow all those people.

Because that would be illegal and easier to trace than dumping them publicly. This way Twitter does the work.

It's all illegal but you're right about Twitter doing the work.

I doubt it, but that's a really interesting what-if. If you think about it though, if you're going to auto-generate accounts, wouldn't hard-to-crack passwords be easier to generate than dictionary-based ones?

Many of these accounts are from Brazilians (like me) who use shitty passwords (unlike me). I checked a few of them and they seem legit. I was even able to log into one of the user's hotmail account, it was a real person. Not saying all of them are, but at least a few arent.

>I was even able to log into one of the user's hotmail account, it was a real person.

Why do people do this? Or rather, why do people do this and then admit to it in public forums?

This is unethical and probably illegal.

I sent an email himself saying that his account was hacked, he should change his pwd and I didnt steal anything

It is not that I care or that I think that you did something immoral, IMO you didn't harm anyone but it is still probably illegal (obviously depending on the jurisdiction).

You care a lot

> I logged into a few of those accounts

Unethical and probably illegal. You just admitted to logging into someone else's account without their permission. At the very least you probably violated Twitter's terms.

If I never signed up for a twitter account and only signed into one for the first time using these leaked passwords, I haven't agreed to any terms of service.

Doesn't matter, still illegal.

Depends where you are, US laws don't apply to the whole world

(and even in the US it is much more nuanced. logging in and doing nothing with a public username and password is really in the grey area).

Technically, no. Effectively, yes they do.

The only restriction on US law is how hard we want to push other governments to enforce them.

login to my account: hackernews@mailinator.com:bacon123

is that a crime?

I have a startup idea, show plaintext username and password on my website for every website i registered, and if somebody logged in using them sue them for money. I will give lawyer 50%. profit and vacation. :D

You've given everyone permission so no, it's not a crime.

That silly password is a crime.

Too many brazilian accounts for a spammer list. There is no reason to use UOL/BOL over hotmail/yahoo/etc.

I think this is from a third-party service, back when OAuth was not common, or maybe from a fake service someone created just to steal passwords.. There are many accounts that couldn't possibily be created on twitter:


The large number of Hotmail and Yahoo email addresses used also speaks to the possibility of these being bot generated. I tried logging into a few but got incorrect password messages. I wonder if they have already been reset.


It seems the usernames are quite random as well. So far, not much lost then :)

This is entirely speculation on my part, but maybe this is some insight into how many spam accounts there are on Twitter.

I am fairly worried by the security policy at Twitter.

For example, I have a friend who had his Twitter account hacked. As an experiment, he deactivated the account, but did not change the password. Whoever had the password logged into the hacked account and reactivated it. When he received the email of the reactivation, there was no "If you did not initiate this, click here" option.

edit: formatting

There really ought to be some general rule of account classification in a broad-based public service. My very rough rule of thumb:

10% of accounts are active (daily/weeekly participation)

1% of accounts are "whales" (provide high level to the service).

~15-50% of accounts are some-time users.

~25-50% of accounts are one-time users (registered but never used)

If your service is sufficiently old, call it 5-10 years ...

~25-50% of accounts are expired / no longer reachable (usually the contact email/phone is no longer valid).

Active spammers don't have to be a high level of the service to be disruptive, but can be anywhere from 1-25%, mostly depending on how effective you are at rooting them out.

Very, very rough, and no, I don't have a particularly good basis to back these up other than the first 2-3 values.

Yeah, the passwords are also short strings like 4040. Usually twitter doesn't let you define such unsecure password.

I've made some throwaway accounts for testing, and found that insecure passwords are A-OK for Twitter!

why don't you share the username/password here and we'll see how much sharing we can get away with (let's try not ruin the fun by changing the password...)

wow is this ever unpopular. I didn't mean, "of your account", I meant of "your throwaway twitter account with lax security, to see if twitter minds whether several or dozens of people use one from all different IP's". Or whether, like Google, they even care if people do unusual, suspicious things. Nevermind, I guess!

Interesting, I got what you meant straight away and thought it would be interesting to see what happens too. Shame eh!

There are a few in there like that, but just glancing at it the majority of them are suspiciously uniform. 8 random-looking characters, upper/lower/number.

If this really is a list of spammer accounts, the ones that look like real accounts are probably stolen from legit users to be used for spamming.

I agree - quick sample, search 'safal' in the first pastebin link. It comes up in the username 87 times...

Can you elaborate technically on how you went about this? Thanks!

I checked a few and found exactly the same.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact