is it just me, or do the vast majority of the passwords appear to be the default randomly generated passwords? How many of these accounts are even active?
I also see a lot of randomly generated accounts, but a lot of legitimate ones as well. I think the big chunks of similar looking accounts were created by spambots.
Any idea where these came from? Was Twitter actually hacked somehow (and if so, why only 55k)? Or was 3rd-party software that collected Twitter credentials hacked? Can 3rd-party software even collect credentials at all or is OAuth the only authentication flow that works today?
I just did a random sampling of these accounts, and what's interesting is that every one of the twenty accounts I looked at had about 3-6 followers, and was following thousands of people (or it was suspended).
All their bios sound like bot-generated text, they all have suspiciously similar passwords that look auto-generated, and none of them seem to have much to say.
On a hunch, I logged in to a few of those accounts and saw that they all had messages asking them to confirm their email addresses, as they had not done so yet.
This is probably not a "leak," but some spammer's list of fake accounts.
This is entirely speculation on my part, but maybe this is some insight into how many spam accounts there are on Twitter.
I am fairly worried by the security policy at Twitter.
For example, I have a friend who had his Twitter account hacked. As an experiment, he deactivated the account, but did not change the password. Whoever had the password logged into the hacked account and reactivated it. When he received the email of the reactivation, there was no "If you did not initiate this, click here" option.
There really ought to be some general rule of account classification in a broad-based public service. My very rough rule of thumb:
10% of accounts are active (daily/weeekly participation)
1% of accounts are "whales" (provide high level to the service).
~15-50% of accounts are some-time users.
~25-50% of accounts are one-time users (registered but never used)
If your service is sufficiently old, call it 5-10 years ...
~25-50% of accounts are expired / no longer reachable (usually the contact email/phone is no longer valid).
Active spammers don't have to be a high level of the service to be disruptive, but can be anywhere from 1-25%, mostly depending on how effective you are at rooting them out.
Very, very rough, and no, I don't have a particularly good basis to back these up other than the first 2-3 values.
why don't you share the username/password here and we'll see how much sharing we can get away with (let's try not ruin the fun by changing the password...)
wow is this ever unpopular. I didn't mean, "of your account", I meant of "your throwaway twitter account with lax security, to see if twitter minds whether several or dozens of people use one from all different IP's". Or whether, like Google, they even care if people do unusual, suspicious things. Nevermind, I guess!
There are a few in there like that, but just glancing at it the majority of them are suspiciously uniform. 8 random-looking characters, upper/lower/number.
If this really is a list of spammer accounts, the ones that look like real accounts are probably stolen from legit users to be used for spamming.
The large number of Hotmail and Yahoo email addresses used also speaks to the possibility of these being bot generated. I tried logging into a few but got incorrect password messages. I wonder if they have already been reset.
"This is probably not a 'leak,' but some spammer's list of fake accounts."
Ok, since I like to randomly speculate about various facts, consider the following, what if this was a white hat operation? We have seen that folks who uncover botnets are in a weird place because if they take them out they can be accused of violating the CFA but if they leave them in place, the world stays sucky. So what to do? A creative missive to not take them out?
A white hat can 'leak' all of the spam accounts, which engages Twitter's customer relations team, which disables all the accounts because they might be 'compromised' and sends an email to the owner to change their password. Except they are spam accounts and don't have real emails so the emails go into the bit bucket and 55,000 spam accounts go dark. I realize that is a lot of construction.
Said email would become a confession and evidence if Twitter (or a third party that had this list) were to charge the leaker under CFA (or the relevant law in their country). Posting it anonymously has the same effect without exposing the leaker to legal issues.
Well follow that logic a bit, your a social networking company, you get email from person A (who you don't know) saying that user B is a spammer. (or that these 55K accounts are spammers) what do you do?
Well if you do anything automatically then you put yourself at risk for people bullying other legit users by accusing them of spamming. Since real users tweet all sorts of bad things when you accidentally ban them, you want zero false positives, so you have a fairly heavy weight policy.
So if the policy takes an hour per account, reports of 55,000 would be really hard to do. However, if you release the passwords of them into the 'wild' then all Twitter has to do is 'prevent further abuse' which is a password reset and mass mailing.
Again, its pure speculation on this leak, the problems with acting on internet reported abuse is one that I got to see first hand at Google when I was there (people get reported as spammers, accounts get disabled, tempers flare, nobody is happy, it is a really hard problem.)
I doubt it, but that's a really interesting what-if. If you think about it though, if you're going to auto-generate accounts, wouldn't hard-to-crack passwords be easier to generate than dictionary-based ones?
Many of these accounts are from Brazilians (like me) who use shitty passwords (unlike me). I checked a few of them and they seem legit. I was even able to log into one of the user's hotmail account, it was a real person. Not saying all of them are, but at least a few arent.
It is not that I care or that I think that you did something immoral, IMO you didn't harm anyone but it is still probably illegal (obviously depending on the jurisdiction).
Unethical and probably illegal. You just admitted to logging into someone else's account without their permission. At the very least you probably violated Twitter's terms.
If I never signed up for a twitter account and only signed into one for the first time using these leaked passwords, I haven't agreed to any terms of service.
I have a startup idea, show plaintext username and password on my website for every website i registered, and if somebody logged in using them sue them for money. I will give lawyer 50%. profit and vacation. :D
Too many brazilian accounts for a spammer list. There is no reason to use UOL/BOL over hotmail/yahoo/etc.
I think this is from a third-party service, back when OAuth was not common, or maybe from a fake service someone created just to steal passwords.. There are many accounts that couldn't possibily be created on twitter:
MANY of the accounts fit that pattern. A large number have the same seemingly random 6-digit numeric password. Another large number have exactly 8 characters of pseudo-random alphanumerics.
But many of them have exactly the kind of password you would expect humans to have. Maybe those were accounts that were stolen (phished?) and added to the spam operation, but they certainly seem like human-generated (i.e. mostly bad, but more importantly, without an obvious pattern) passwords to me.
Given that, as jaysonelliot already pointed out, most of these passwords seem auto-generated and are indicative of non-human accounts...then I guess the source of this leak isn't from a phishing operation.
"'The micro blogging platform is aware of this hack and was taking necessary actions to save those people’s account from malicious activity', said a Twitter insider."
At first my reaction to the story was "like I give a tweet!" What are they going to do, tweet something inane? Um... that's kind of the point of the whole service, isn't it?
But then I remembered the true vulnerability with leaked usernames/passwords: people use the same ones across sites.
These same people would never change their username/password combo on ANOTHER site due to prompting ont he Twitter site. They just can't read and follow directions like that. (If they could they probably wouldn't have the same username/pd combo).
So, I think that:
"'The micro blogging platform is aware of this hack and was taking necessary actions to save those people’s account from malicious activity', said a Twitter insider." is asking the impossible.
The only malicious activity is on the users' other, real, non-SMS-length-message-broadcasting-to-the-whole-world accounts... (email, facebook, etc)
I just looked at one of the pages and by looking at the data, it looks like it's from Brazil. Portuguese names,portuguese passwords. That was the page with L-O.Not Portugual either, Brazil. So a good sense of observation I have.
"Unbelievable that Twitter isn’t taking any necessary steps to keep its users data safe. Even after encountering a huge number of hacks in the past including celebrities account. All they need to do is to add a password strength checker during signup while changing passwords. And guide the users to create a strong password. That could save a lot of users frustration."
If only it was that easy to prevent account stealing.
Sure, but that doesn't tell you how many dupes were in the original list (unless you were to separately keep a linecount). Hrm ... does pv let you do that?
Every single account I checked has constantly retweeted the account @Swagstro[1]. They have 314k followers, but no "Verified Account" tag (which extremely popular users tend to have). I don't mean to point the finger, but it seems like these accounts were used to boost the popularity of said account.
EDIT:
They gained 70k followers in the past two days alone[2].
EDIT 2:
Their tweets have all disappeared since posting this comment.
CONCLUSION:
Automatically generated accounts, profiles, and tweets. These accounts are used for services that provide paid followers and retweets. It's actually pretty interesting stuff if you look at the automatically generated "Twitter Ipsum" that is their profile descriptions and how they randomly pick quotes from famous people to tweet.
If you look at who that account is following, there seems to be a whole network of people using accounts with names close to (or impersonating) celebrities who all re-tweet each other and promise "10 follow-backs for each follow" and "if you follow <random> I'll follow you" etc.
Looks like either some kind of weird social hack/club or I don't know what..
This account has close to 1M followers, and appears to be in that same network or loop of spammy follower-harvesting group..
Actually, that account looks pretty legit (in the sense that it's not 100% bot generated).
Look at Swagstro's follower list [1], and Cmd/Ctrl-F for "holic", "fanatic", "introvert", "bacon", "wannabe". Almost all of the accounts are simply randomly generating the Lorem Ipsum of Twitter descriptions.
This makes me wonder if Twitter is ever going to crack down on these spam accounts, or put in place some preventive measures. Right now it's really encouraging for spammers to create these accounts and sell their services. There's still lots of room for improvement in these bot accounts, currently they're still too easy to detect.
Fascinating stuff. I guess the grey ecosystem is evolving on Twitter. A look at his followers - https://twitter.com/#!/Swagstro/followers - implies nearly all are fake just from their descriptions... not the '18 luv sex lol' fake but some sort of algorithmically generated description that seems legit until you compare it with all his other followers. Most are a riff on the following: "Thinker. Writer. Bacon buff. Typical music ninja. Extreme entrepreneur. Web geek. Social media fan. Devoted reader. Subtly charming troublemaker".
Anyone know anything more about this? Are there companies overtly selling followers?
I disagree that the all or even most of the passwords are randomly chosen, there's too little entropy for it to be a pseudo random system, and too much for it to be a simple algorithm based on the username. I'd bet the percentage of the accounts here that are spammers reflects the same percentage as the overall site, and is probably shockingly high.
---
...
natymattyoly_souza@hotmail.com:123456789321 < probably guessed numbers until the system said it wasn't "too obvious"
...
anderson_andimdim@hotmail.com:159753100 < physical numpad pattern, "X" + 100
...
danielmarianosantana@hotmail.com:euamominhamae < "i love my mom" in portuguese... Twitter blocks "iloveyou" as it's a really common password, but this seems similar
joaovitor.bragaferreira@hotmail.com:africadosul
rafacavali82@hotmail.com:molestia
girlangts@hotmail.com:tei,xei,ra,
theublack10@hotmail.com:matheussofia
r_gto33@hotmail.com:picaxura
There are many others that may be autogenerated, but I think we can rule out the idea that most or all of them are. The common patterns are probably just because humans are bad at this "make up a secret that no one else makes up" game.
I took a sample of 34k. I may have had some files that didn't download fully[1]. I was only interested in picking out some trends.
66 - No password (ie null)
580 - had the password "315475"
492 - had password "123456"
187 - had password "123456789"
68 - had password "102030"
62 - had password "123"
52 - had password "12345"
44 - had password "1234"
29 - had password "101010"
35% were numeric/number only passwords. There were many that were a variation of 123...
The rest appear to be a mixture but first names are popular. I haven't tried, but would assume many of these would be the same passwords for the registered email (username).
The day someone comes up with an alternative to passwords it will be a great day!
Edit: [1] 34k unique accounts, I must have deleted duplicate usernames/accounts.
It's a rather pleasant shade of blue, and a Syracuse, NY telephone exchange. Other than that, no significance I can gather. May well be an arbitrarily chosen random number.
> "Unbelievable that Twitter isn’t taking any necessary steps to keep its users data safe. Even after encountering a huge number of hacks in the past including celebrities account."
I don't think that's very fair.
> "All they need to do is to add a password strength checker during signup while changing passwords. And guide the users to create a strong password. That could save a lot of users frustration."
Change your password if you have a Twitter account. Change that password where ever you use it. They may not have released the full list of passwords they actually have access to.
I recommend 1password for managing passwords so that issues like this are easier to manage and so that I do not use the same few passwords everywhere.
this isn't a list of passwords they gained by compromising Twitter. This is (most likely) a list of spam accounts and passwords. It doesn't look like anything was stolen from anywhere.
113 comments
[ 3.7 ms ] story [ 147 ms ] threadEdit: There are twitter accounts to match the usernames - the few I checked were bots. I won't test the passwords.
All their bios sound like bot-generated text, they all have suspiciously similar passwords that look auto-generated, and none of them seem to have much to say.
On a hunch, I logged in to a few of those accounts and saw that they all had messages asking them to confirm their email addresses, as they had not done so yet.
This is probably not a "leak," but some spammer's list of fake accounts.
It seems the usernames are quite random as well. So far, not much lost then :)
I am fairly worried by the security policy at Twitter.
For example, I have a friend who had his Twitter account hacked. As an experiment, he deactivated the account, but did not change the password. Whoever had the password logged into the hacked account and reactivated it. When he received the email of the reactivation, there was no "If you did not initiate this, click here" option.
edit: formatting
10% of accounts are active (daily/weeekly participation)
1% of accounts are "whales" (provide high level to the service).
~15-50% of accounts are some-time users.
~25-50% of accounts are one-time users (registered but never used)
If your service is sufficiently old, call it 5-10 years ...
~25-50% of accounts are expired / no longer reachable (usually the contact email/phone is no longer valid).
Active spammers don't have to be a high level of the service to be disruptive, but can be anywhere from 1-25%, mostly depending on how effective you are at rooting them out.
Very, very rough, and no, I don't have a particularly good basis to back these up other than the first 2-3 values.
If this really is a list of spammer accounts, the ones that look like real accounts are probably stolen from legit users to be used for spamming.
Ok, since I like to randomly speculate about various facts, consider the following, what if this was a white hat operation? We have seen that folks who uncover botnets are in a weird place because if they take them out they can be accused of violating the CFA but if they leave them in place, the world stays sucky. So what to do? A creative missive to not take them out?
A white hat can 'leak' all of the spam accounts, which engages Twitter's customer relations team, which disables all the accounts because they might be 'compromised' and sends an email to the owner to change their password. Except they are spam accounts and don't have real emails so the emails go into the bit bucket and 55,000 spam accounts go dark. I realize that is a lot of construction.
Well if you do anything automatically then you put yourself at risk for people bullying other legit users by accusing them of spamming. Since real users tweet all sorts of bad things when you accidentally ban them, you want zero false positives, so you have a fairly heavy weight policy.
So if the policy takes an hour per account, reports of 55,000 would be really hard to do. However, if you release the passwords of them into the 'wild' then all Twitter has to do is 'prevent further abuse' which is a password reset and mass mailing.
Again, its pure speculation on this leak, the problems with acting on internet reported abuse is one that I got to see first hand at Google when I was there (people get reported as spammers, accounts get disabled, tempers flare, nobody is happy, it is a really hard problem.)
Why do people do this? Or rather, why do people do this and then admit to it in public forums?
This is unethical and probably illegal.
Unethical and probably illegal. You just admitted to logging into someone else's account without their permission. At the very least you probably violated Twitter's terms.
(and even in the US it is much more nuanced. logging in and doing nothing with a public username and password is really in the grey area).
The only restriction on US law is how hard we want to push other governments to enforce them.
is that a crime?
I think this is from a third-party service, back when OAuth was not common, or maybe from a fake service someone created just to steal passwords.. There are many accounts that couldn't possibily be created on twitter:
Definitely looks like it was a large-scale spam operation that was hacked and not twitter itself.
I just edited the title to try to reflect the lesser impact of the leak.
But many of them have exactly the kind of password you would expect humans to have. Maybe those were accounts that were stolen (phished?) and added to the spam operation, but they certainly seem like human-generated (i.e. mostly bad, but more importantly, without an obvious pattern) passwords to me.
If this was twitter that got hacked, it implies that they're storing passwords in plain text.
That news is or should be a Big Deal.
"'The micro blogging platform is aware of this hack and was taking necessary actions to save those people’s account from malicious activity', said a Twitter insider."
At first my reaction to the story was "like I give a tweet!" What are they going to do, tweet something inane? Um... that's kind of the point of the whole service, isn't it?
But then I remembered the true vulnerability with leaked usernames/passwords: people use the same ones across sites.
These same people would never change their username/password combo on ANOTHER site due to prompting ont he Twitter site. They just can't read and follow directions like that. (If they could they probably wouldn't have the same username/pd combo).
So, I think that: "'The micro blogging platform is aware of this hack and was taking necessary actions to save those people’s account from malicious activity', said a Twitter insider." is asking the impossible.
The only malicious activity is on the users' other, real, non-SMS-length-message-broadcasting-to-the-whole-world accounts... (email, facebook, etc)
If only it was that easy to prevent account stealing.
Lots of dupes in there.
Hrm ... No, but process substitution does:
And what did we actually output?EDIT: They gained 70k followers in the past two days alone[2].
EDIT 2: Their tweets have all disappeared since posting this comment.
CONCLUSION: Automatically generated accounts, profiles, and tweets. These accounts are used for services that provide paid followers and retweets. It's actually pretty interesting stuff if you look at the automatically generated "Twitter Ipsum" that is their profile descriptions and how they randomly pick quotes from famous people to tweet.
[1] https://twitter.com/#!/Swagstro
[2] http://twittercounter.com/Swagstro
Looks like either some kind of weird social hack/club or I don't know what..
This account has close to 1M followers, and appears to be in that same network or loop of spammy follower-harvesting group..
https://twitter.com/#!/CraveMyThoughts
Look at Swagstro's follower list [1], and Cmd/Ctrl-F for "holic", "fanatic", "introvert", "bacon", "wannabe". Almost all of the accounts are simply randomly generating the Lorem Ipsum of Twitter descriptions.
[1] https://twitter.com/#!/Swagstro/followers
Anyone know anything more about this? Are there companies overtly selling followers?
Some big weekly jumps in March (~50k) and April (~30k).
Magic SEO? Or the next JB? Something to do with clothing?
The domain "swagst.ro" is currently available for US$37 per year...
[1] https://twitter.com/#!/Rene (Verified Twitter Account)
[2] http://twittercounter.com/compare/Rene/3month/followers
---
... natymattyoly_souza@hotmail.com:123456789321 < probably guessed numbers until the system said it wasn't "too obvious"
...
anderson_andimdim@hotmail.com:159753100 < physical numpad pattern, "X" + 100
...
danielmarianosantana@hotmail.com:euamominhamae < "i love my mom" in portuguese... Twitter blocks "iloveyou" as it's a really common password, but this seems similar
joaovitor.bragaferreira@hotmail.com:africadosul
rafacavali82@hotmail.com:molestia
girlangts@hotmail.com:tei,xei,ra,
theublack10@hotmail.com:matheussofia
r_gto33@hotmail.com:picaxura
There are many others that may be autogenerated, but I think we can rule out the idea that most or all of them are. The common patterns are probably just because humans are bad at this "make up a secret that no one else makes up" game.
66 - No password (ie null)
580 - had the password "315475"
492 - had password "123456"
187 - had password "123456789"
68 - had password "102030"
62 - had password "123"
52 - had password "12345"
44 - had password "1234"
29 - had password "101010"
35% were numeric/number only passwords. There were many that were a variation of 123...
The rest appear to be a mixture but first names are popular. I haven't tried, but would assume many of these would be the same passwords for the registered email (username).
The day someone comes up with an alternative to passwords it will be a great day!
Edit: [1] 34k unique accounts, I must have deleted duplicate usernames/accounts.
So maybe random generated by twitter or spam accounts?
Edit: Appear to be closed or suspended accounts.
See this forum thread: http://psx-scene.com/forums/f195/twitter-1200-follwer-hack-v... which links to this pastebin page which contains a bunch of users all with that password http://pastebin.com/0hcDigvU
http://www.colorhexa.com/315475 http://xkcd.com/221/
58978 accounts listed, 34064 unique account/passwords
25069 accounts by email 8995 accounts by usernames
Most accounts by email:
hotmail.com @ 15598
yahoo.com.br @ 2375
gmail.com @ 2148
bol.com.br @ 1031
uol.com.br @ 695
A lot of misspellings for domain names.
58978 accounts listed, 34064 unique account/passwords
25069 accounts by email 8995 accounts by usernames
Most accounts by email: hotmail.com @ 15598 yahoo.com.br @ 2375 gmail.com @ 2148 bol.com.br @ 1031 uol.com.br @ 695
A lot of misspellings for domain names.
Unless of course as other people pointed out its just the same person who registered a large portion of these accounts.
Fair point.
I don't think that's very fair.
> "All they need to do is to add a password strength checker during signup while changing passwords. And guide the users to create a strong password. That could save a lot of users frustration."
Right...
I recommend 1password for managing passwords so that issues like this are easier to manage and so that I do not use the same few passwords everywhere.