All their bios sound like bot-generated text, they all have suspiciously similar passwords that look auto-generated, and none of them seem to have much to say.
On a hunch, I logged in to a few of those accounts and saw that they all had messages asking them to confirm their email addresses, as they had not done so yet.
This is probably not a "leak," but some spammer's list of fake accounts.
Ok, since I like to randomly speculate about various facts, consider the following, what if this was a white hat operation? We have seen that folks who uncover botnets are in a weird place because if they take them out they can be accused of violating the CFA but if they leave them in place, the world stays sucky. So what to do? A creative missive to not take them out?
A white hat can 'leak' all of the spam accounts, which engages Twitter's customer relations team, which disables all the accounts because they might be 'compromised' and sends an email to the owner to change their password. Except they are spam accounts and don't have real emails so the emails go into the bit bucket and 55,000 spam accounts go dark. I realize that is a lot of construction.
Well if you do anything automatically then you put yourself at risk for people bullying other legit users by accusing them of spamming. Since real users tweet all sorts of bad things when you accidentally ban them, you want zero false positives, so you have a fairly heavy weight policy.
So if the policy takes an hour per account, reports of 55,000 would be really hard to do. However, if you release the passwords of them into the 'wild' then all Twitter has to do is 'prevent further abuse' which is a password reset and mass mailing.
Again, its pure speculation on this leak, the problems with acting on internet reported abuse is one that I got to see first hand at Google when I was there (people get reported as spammers, accounts get disabled, tempers flare, nobody is happy, it is a really hard problem.)
Why do people do this? Or rather, why do people do this and then admit to it in public forums?
This is unethical and probably illegal.
Unethical and probably illegal. You just admitted to logging into someone else's account without their permission. At the very least you probably violated Twitter's terms.
(and even in the US it is much more nuanced. logging in and doing nothing with a public username and password is really in the grey area).
The only restriction on US law is how hard we want to push other governments to enforce them.
is that a crime?
I think this is from a third-party service, back when OAuth was not common, or maybe from a fake service someone created just to steal passwords.. There are many accounts that couldn't possibily be created on twitter:
It seems the usernames are quite random as well. So far, not much lost then :)
I am fairly worried by the security policy at Twitter.
For example, I have a friend who had his Twitter account hacked. As an experiment, he deactivated the account, but did not change the password. Whoever had the password logged into the hacked account and reactivated it. When he received the email of the reactivation, there was no "If you did not initiate this, click here" option.
10% of accounts are active (daily/weeekly participation)
1% of accounts are "whales" (provide high level to the service).
~15-50% of accounts are some-time users.
~25-50% of accounts are one-time users (registered but never used)
If your service is sufficiently old, call it 5-10 years ...
~25-50% of accounts are expired / no longer reachable (usually the contact email/phone is no longer valid).
Active spammers don't have to be a high level of the service to be disruptive, but can be anywhere from 1-25%, mostly depending on how effective you are at rooting them out.
Very, very rough, and no, I don't have a particularly good basis to back these up other than the first 2-3 values.
If this really is a list of spammer accounts, the ones that look like real accounts are probably stolen from legit users to be used for spamming.