113 comments

[ 3.7 ms ] story [ 147 ms ] thread
is it just me, or do the vast majority of the passwords appear to be the default randomly generated passwords? How many of these accounts are even active?
Yeah, I'm seeing alot of randomly generated numbers as passwords -- is that the twitter default?
I also see a lot of randomly generated accounts, but a lot of legitimate ones as well. I think the big chunks of similar looking accounts were created by spambots.
Why 55k? Gotta wonder where those specific accounts came from
Any info on how exactly this was accomplished?
Any idea where these came from? Was Twitter actually hacked somehow (and if so, why only 55k)? Or was 3rd-party software that collected Twitter credentials hacked? Can 3rd-party software even collect credentials at all or is OAuth the only authentication flow that works today?
could be an old list from a 3rd party in the days before Oauth
The passwords in the linked pages look far too random for humans to have chosen. My guess: either they're a spammer's account list, or this is a hoax.

Edit: There are twitter accounts to match the usernames - the few I checked were bots. I won't test the passwords.

I just did a random sampling of these accounts, and what's interesting is that every one of the twenty accounts I looked at had about 3-6 followers, and was following thousands of people (or it was suspended).

All their bios sound like bot-generated text, they all have suspiciously similar passwords that look auto-generated, and none of them seem to have much to say.

On a hunch, I logged in to a few of those accounts and saw that they all had messages asking them to confirm their email addresses, as they had not done so yet.

This is probably not a "leak," but some spammer's list of fake accounts.

Agreed.

It seems the usernames are quite random as well. So far, not much lost then :)

(comment deleted)
This is entirely speculation on my part, but maybe this is some insight into how many spam accounts there are on Twitter.

I am fairly worried by the security policy at Twitter.

For example, I have a friend who had his Twitter account hacked. As an experiment, he deactivated the account, but did not change the password. Whoever had the password logged into the hacked account and reactivated it. When he received the email of the reactivation, there was no "If you did not initiate this, click here" option.

edit: formatting

There really ought to be some general rule of account classification in a broad-based public service. My very rough rule of thumb:

10% of accounts are active (daily/weeekly participation)

1% of accounts are "whales" (provide high level to the service).

~15-50% of accounts are some-time users.

~25-50% of accounts are one-time users (registered but never used)

If your service is sufficiently old, call it 5-10 years ...

~25-50% of accounts are expired / no longer reachable (usually the contact email/phone is no longer valid).

Active spammers don't have to be a high level of the service to be disruptive, but can be anywhere from 1-25%, mostly depending on how effective you are at rooting them out.

Very, very rough, and no, I don't have a particularly good basis to back these up other than the first 2-3 values.

Yeah, the passwords are also short strings like 4040. Usually twitter doesn't let you define such unsecure password.
I've made some throwaway accounts for testing, and found that insecure passwords are A-OK for Twitter!
why don't you share the username/password here and we'll see how much sharing we can get away with (let's try not ruin the fun by changing the password...)
wow is this ever unpopular. I didn't mean, "of your account", I meant of "your throwaway twitter account with lax security, to see if twitter minds whether several or dozens of people use one from all different IP's". Or whether, like Google, they even care if people do unusual, suspicious things. Nevermind, I guess!
Interesting, I got what you meant straight away and thought it would be interesting to see what happens too. Shame eh!
There are a few in there like that, but just glancing at it the majority of them are suspiciously uniform. 8 random-looking characters, upper/lower/number.

If this really is a list of spammer accounts, the ones that look like real accounts are probably stolen from legit users to be used for spamming.

The large number of Hotmail and Yahoo email addresses used also speaks to the possibility of these being bot generated. I tried logging into a few but got incorrect password messages. I wonder if they have already been reset.
"This is probably not a 'leak,' but some spammer's list of fake accounts."

Ok, since I like to randomly speculate about various facts, consider the following, what if this was a white hat operation? We have seen that folks who uncover botnets are in a weird place because if they take them out they can be accused of violating the CFA but if they leave them in place, the world stays sucky. So what to do? A creative missive to not take them out?

A white hat can 'leak' all of the spam accounts, which engages Twitter's customer relations team, which disables all the accounts because they might be 'compromised' and sends an email to the owner to change their password. Except they are spam accounts and don't have real emails so the emails go into the bit bucket and 55,000 spam accounts go dark. I realize that is a lot of construction.

Why wouldn't they just email twitter explaining how to identify the spammers and including a list?
Said email would become a confession and evidence if Twitter (or a third party that had this list) were to charge the leaker under CFA (or the relevant law in their country). Posting it anonymously has the same effect without exposing the leaker to legal issues.
Also: Joe Jobs.
Steve's extra-evil twin? Or did you mean "Joe jobs"?
I googled but cannot find the right CFA. What is it?
Well follow that logic a bit, your a social networking company, you get email from person A (who you don't know) saying that user B is a spammer. (or that these 55K accounts are spammers) what do you do?

Well if you do anything automatically then you put yourself at risk for people bullying other legit users by accusing them of spamming. Since real users tweet all sorts of bad things when you accidentally ban them, you want zero false positives, so you have a fairly heavy weight policy.

So if the policy takes an hour per account, reports of 55,000 would be really hard to do. However, if you release the passwords of them into the 'wild' then all Twitter has to do is 'prevent further abuse' which is a password reset and mass mailing.

Again, its pure speculation on this leak, the problems with acting on internet reported abuse is one that I got to see first hand at Google when I was there (people get reported as spammers, accounts get disabled, tempers flare, nobody is happy, it is a really hard problem.)

Why not just change the passwords yourself then? While you're at it, unfollow all those people.
Because that would be illegal and easier to trace than dumping them publicly. This way Twitter does the work.
It's all illegal but you're right about Twitter doing the work.
I doubt it, but that's a really interesting what-if. If you think about it though, if you're going to auto-generate accounts, wouldn't hard-to-crack passwords be easier to generate than dictionary-based ones?
I agree - quick sample, search 'safal' in the first pastebin link. It comes up in the username 87 times...
Many of these accounts are from Brazilians (like me) who use shitty passwords (unlike me). I checked a few of them and they seem legit. I was even able to log into one of the user's hotmail account, it was a real person. Not saying all of them are, but at least a few arent.
>I was even able to log into one of the user's hotmail account, it was a real person.

Why do people do this? Or rather, why do people do this and then admit to it in public forums?

This is unethical and probably illegal.

I sent an email himself saying that his account was hacked, he should change his pwd and I didnt steal anything
It is not that I care or that I think that you did something immoral, IMO you didn't harm anyone but it is still probably illegal (obviously depending on the jurisdiction).
You care a lot
> I logged into a few of those accounts

Unethical and probably illegal. You just admitted to logging into someone else's account without their permission. At the very least you probably violated Twitter's terms.

If I never signed up for a twitter account and only signed into one for the first time using these leaked passwords, I haven't agreed to any terms of service.
Doesn't matter, still illegal.
Depends where you are, US laws don't apply to the whole world

(and even in the US it is much more nuanced. logging in and doing nothing with a public username and password is really in the grey area).

Technically, no. Effectively, yes they do.

The only restriction on US law is how hard we want to push other governments to enforce them.

(comment deleted)
login to my account: hackernews@mailinator.com:bacon123

is that a crime?

I have a startup idea, show plaintext username and password on my website for every website i registered, and if somebody logged in using them sue them for money. I will give lawyer 50%. profit and vacation. :D
That silly password is a crime.
You've given everyone permission so no, it's not a crime.
I checked a few and found exactly the same.
(comment deleted)
Too many brazilian accounts for a spammer list. There is no reason to use UOL/BOL over hotmail/yahoo/etc.

I think this is from a third-party service, back when OAuth was not common, or maybe from a fake service someone created just to steal passwords.. There are many accounts that couldn't possibily be created on twitter:

    12:12
    A:A
    ANJO_SO@RES .COM:
    917048566:2252
Can you elaborate technically on how you went about this? Thanks!
(comment deleted)
I'd put money on this being from a backdoored spam tool.
I don't think those are legit accounts because you can clearly see pattern between passwords usernames and e-mails.....
(posted this on HN after seeing it on an RSS feed)

Definitely looks like it was a large-scale spam operation that was hacked and not twitter itself.

I just edited the title to try to reflect the lesser impact of the leak.

MANY of the accounts fit that pattern. A large number have the same seemingly random 6-digit numeric password. Another large number have exactly 8 characters of pseudo-random alphanumerics.

But many of them have exactly the kind of password you would expect humans to have. Maybe those were accounts that were stolen (phished?) and added to the spam operation, but they certainly seem like human-generated (i.e. mostly bad, but more importantly, without an obvious pattern) passwords to me.

Something I haven't seemed mentioned, but this makes a BIG difference for the following reason (among others):

If this was twitter that got hacked, it implies that they're storing passwords in plain text.

That news is or should be a Big Deal.

Almost all the passwords are 8 character alphanumeric. It would mean they aren't salting, but it's within the range of md5 rainbow tables.
Given that, as jaysonelliot already pointed out, most of these passwords seem auto-generated and are indicative of non-human accounts...then I guess the source of this leak isn't from a phishing operation.
these people all have pretty sophisticated passwords. :]
You can't.

"'The micro blogging platform is aware of this hack and was taking necessary actions to save those people’s account from malicious activity', said a Twitter insider."

At first my reaction to the story was "like I give a tweet!" What are they going to do, tweet something inane? Um... that's kind of the point of the whole service, isn't it?

But then I remembered the true vulnerability with leaked usernames/passwords: people use the same ones across sites.

These same people would never change their username/password combo on ANOTHER site due to prompting ont he Twitter site. They just can't read and follow directions like that. (If they could they probably wouldn't have the same username/pd combo).

So, I think that: "'The micro blogging platform is aware of this hack and was taking necessary actions to save those people’s account from malicious activity', said a Twitter insider." is asking the impossible.

The only malicious activity is on the users' other, real, non-SMS-length-message-broadcasting-to-the-whole-world accounts... (email, facebook, etc)

I just looked at one of the pages and by looking at the data, it looks like it's from Brazil. Portuguese names,portuguese passwords. That was the page with L-O.Not Portugual either, Brazil. So a good sense of observation I have.
"Unbelievable that Twitter isn’t taking any necessary steps to keep its users data safe. Even after encountering a huge number of hacks in the past including celebrities account. All they need to do is to add a password strength checker during signup while changing passwords. And guide the users to create a strong password. That could save a lot of users frustration."

If only it was that easy to prevent account stealing.

For the curious:

    curl http://pastebin.com/raw.php?i=Kc9ng18h > twitterpw.txt
    curl http://pastebin.com/raw.php?i=vCMndK2L >> twitterpw.txt
    curl http://pastebin.com/raw.php?i=JdQkuYwG >> twitterpw.txt
    curl http://pastebin.com/raw.php?i=fw43srjY >> twitterpw.txt
    curl http://pastebin.com/raw.php?i=jv4LBjPX >> twitterpw.txt
For the optimizers:

  for k in Kc9ng18h vCMndK2L JdQkuYwG fw43srjY jv4LBjPX; do curl http://pastebin.com/raw.php?i=$k >> twitterpw.txt; done
(comment deleted)
Or (bash/zsh):

     curl "http://pastebin.com/raw.php?i={Kc9ng18h,vCMndK2L,JdQkuYwG,fw43srjY,jv4LBjPX}" > twitterpw.txt
Then: $ wc -l twitterpw.txt 58978 twitterpw.txt $ sort -u twitterpw.txt | wc -l 37001

Lots of dupes in there.

    curl "http://pastebin.com/raw.php?i={Kc9ng18h,vCMndK2L,JdQkuYwG,fw43srjY,jv4LBjPX}" | sort -u > twitterpw.txt
Sure, but that doesn't tell you how many dupes were in the original list (unless you were to separately keep a linecount). Hrm ... does pv let you do that?

Hrm ... No, but process substitution does:

    curl "http://pastebin.com/raw.php?i={Kc9ng18h,vCMndK2L,JdQkuYwG,fw43srjY,jv4LBjPX}" | tee >(sort -u >twitterpw.txt) | wc -l
    [1/5]: http://pastebin.com/raw.php?i=Kc9ng18h --> <stdout>
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100  261k    0  261k    0     0   788k      0 --:--:-- --:--:-- --:--:--  953k
    
    [2/5]: http://pastebin.com/raw.php?i=vCMndK2L --> <stdout>
    100  434k    0  434k    0     0  1630k      0 --:--:-- --:--:-- --:--:-- 1630k
    
    [3/5]: http://pastebin.com/raw.php?i=JdQkuYwG --> <stdout>
    100  349k    0  349k    0     0  1526k      0 --:--:-- --:--:-- --:--:-- 7441k
    
    [4/5]: http://pastebin.com/raw.php?i=fw43srjY --> <stdout>
    100  367k    0  367k    0     0   897k      0 --:--:-- --:--:-- --:--:--  897k
    
    [5/5]: http://pastebin.com/raw.php?i=jv4LBjPX --> <stdout>
    100  291k    0  291k    0     0  1638k      0 --:--:-- --:--:-- --:--:-- 1638k
    58978
And what did we actually output?

    $ wc -l twitterpw.txt 
    37001 twitterpw.txt
Every single account I checked has constantly retweeted the account @Swagstro[1]. They have 314k followers, but no "Verified Account" tag (which extremely popular users tend to have). I don't mean to point the finger, but it seems like these accounts were used to boost the popularity of said account.

EDIT: They gained 70k followers in the past two days alone[2].

EDIT 2: Their tweets have all disappeared since posting this comment.

CONCLUSION: Automatically generated accounts, profiles, and tweets. These accounts are used for services that provide paid followers and retweets. It's actually pretty interesting stuff if you look at the automatically generated "Twitter Ipsum" that is their profile descriptions and how they randomly pick quotes from famous people to tweet.

[1] https://twitter.com/#!/Swagstro

[2] http://twittercounter.com/Swagstro

If you look at who that account is following, there seems to be a whole network of people using accounts with names close to (or impersonating) celebrities who all re-tweet each other and promise "10 follow-backs for each follow" and "if you follow <random> I'll follow you" etc.

Looks like either some kind of weird social hack/club or I don't know what..

This account has close to 1M followers, and appears to be in that same network or loop of spammy follower-harvesting group..

https://twitter.com/#!/CraveMyThoughts

Actually, that account looks pretty legit (in the sense that it's not 100% bot generated).

Look at Swagstro's follower list [1], and Cmd/Ctrl-F for "holic", "fanatic", "introvert", "bacon", "wannabe". Almost all of the accounts are simply randomly generating the Lorem Ipsum of Twitter descriptions.

[1] https://twitter.com/#!/Swagstro/followers

This makes me wonder if Twitter is ever going to crack down on these spam accounts, or put in place some preventive measures. Right now it's really encouraging for spammers to create these accounts and sell their services. There's still lots of room for improvement in these bot accounts, currently they're still too easy to detect.
Fascinating stuff. I guess the grey ecosystem is evolving on Twitter. A look at his followers - https://twitter.com/#!/Swagstro/followers - implies nearly all are fake just from their descriptions... not the '18 luv sex lol' fake but some sort of algorithmically generated description that seems legit until you compare it with all his other followers. Most are a riff on the following: "Thinker. Writer. Bacon buff. Typical music ninja. Extreme entrepreneur. Web geek. Social media fan. Devoted reader. Subtly charming troublemaker".

Anyone know anything more about this? Are there companies overtly selling followers?

I disagree that the all or even most of the passwords are randomly chosen, there's too little entropy for it to be a pseudo random system, and too much for it to be a simple algorithm based on the username. I'd bet the percentage of the accounts here that are spammers reflects the same percentage as the overall site, and is probably shockingly high.

---

... natymattyoly_souza@hotmail.com:123456789321 < probably guessed numbers until the system said it wasn't "too obvious"

...

anderson_andimdim@hotmail.com:159753100 < physical numpad pattern, "X" + 100

...

danielmarianosantana@hotmail.com:euamominhamae < "i love my mom" in portuguese... Twitter blocks "iloveyou" as it's a really common password, but this seems similar

joaovitor.bragaferreira@hotmail.com:africadosul

rafacavali82@hotmail.com:molestia

girlangts@hotmail.com:tei,xei,ra,

theublack10@hotmail.com:matheussofia

r_gto33@hotmail.com:picaxura

There are many others that may be autogenerated, but I think we can rule out the idea that most or all of them are. The common patterns are probably just because humans are bad at this "make up a secret that no one else makes up" game.

no need to post the full details here, please redact the mail addresses.
I took a sample of 34k. I may have had some files that didn't download fully[1]. I was only interested in picking out some trends.

66 - No password (ie null)

580 - had the password "315475"

492 - had password "123456"

187 - had password "123456789"

68 - had password "102030"

62 - had password "123"

52 - had password "12345"

44 - had password "1234"

29 - had password "101010"

35% were numeric/number only passwords. There were many that were a variation of 123...

The rest appear to be a mixture but first names are popular. I haven't tried, but would assume many of these would be the same passwords for the registered email (username).

The day someone comes up with an alternative to passwords it will be a great day!

Edit: [1] 34k unique accounts, I must have deleted duplicate usernames/accounts.

What's the significance of "315475" as a password?
All of these accounts were not email address usernames - ie had no @xxxx

So maybe random generated by twitter or spam accounts?

Edit: Appear to be closed or suspended accounts.

Doing a quick analysis.

58978 accounts listed, 34064 unique account/passwords

25069 accounts by email 8995 accounts by usernames

Most accounts by email:

hotmail.com @ 15598

yahoo.com.br @ 2375

gmail.com @ 2148

bol.com.br @ 1031

uol.com.br @ 695

A lot of misspellings for domain names.

Doing a quick analysis.

58978 accounts listed, 34064 unique account/passwords

25069 accounts by email 8995 accounts by usernames

Most accounts by email: hotmail.com @ 15598 yahoo.com.br @ 2375 gmail.com @ 2148 bol.com.br @ 1031 uol.com.br @ 695

A lot of misspellings for domain names.

Does anyone know the significance of 315475 as a password? I can't immediately see what would make this so popular.

Unless of course as other people pointed out its just the same person who registered a large portion of these accounts.

Perhaps because it's fairly easy to type on a number pad?
(comment deleted)
> "Unbelievable that Twitter isn’t taking any necessary steps to keep its users data safe. Even after encountering a huge number of hacks in the past including celebrities account."

I don't think that's very fair.

> "All they need to do is to add a password strength checker during signup while changing passwords. And guide the users to create a strong password. That could save a lot of users frustration."

Right...

Change your password if you have a Twitter account. Change that password where ever you use it. They may not have released the full list of passwords they actually have access to.

I recommend 1password for managing passwords so that issues like this are easier to manage and so that I do not use the same few passwords everywhere.

this isn't a list of passwords they gained by compromising Twitter. This is (most likely) a list of spam accounts and passwords. It doesn't look like anything was stolen from anywhere.