13 comments

[ 2.5 ms ] story [ 44.8 ms ] thread
I'm one of the 250k accounts that were compromised. Seeing as they are saying the attackers got the salted hashed passwords, not the originals, I'm wondering if that means it was Twitter's systems that were compromised as where else would those be obtainable from?

I'm wording the above to refrain (yet) from declaring "Twitter was hacked" but I guess that is what it is looking like :(

Did they sent you your email yet? Would you mind pasting here if you do, for posterity if nothing else?
Yep I got it before they even posted the blog post, and my friend in security @ Twitter couldn't yet reveal why. Here's the email:

Hi, dotBen

Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account.

You'll need to create a new password for your Twitter account. You can select a new password at this link: https://twitter.com/pw_rst/[redacted]

As always, you can also request a new password from our password-resend page: https://twitter.com/account/resend_password

Please don't reuse your old password and be sure to choose a strong password (such as one with a combination of letters, numbers, and symbols).

In general, be sure to:

Always check that your browser's address bar is on a https://twitter.com website before entering your password. Phishing sites often look just like Twitter, so check the URL before entering your login information! Avoid using websites or services that promise to get you lots of followers. These sites have been known to send spam updates and damage user accounts. Review your approved connections on your Applications page at https://twitter.com/settings/applications. If you see any applications that you don't recognize, click the Revoke Access button. For more information, visit our help page for hacked or compromised accounts.

The Twitter Team

There's no way this only hit 250k users. I have a bunch of Twitter accounts for testing and whatever, created over many years, and they all received this email.
So does that mean that juicy DMs will be pastebin'ed too?
The timing of this hack, and the fact that Twitter was (at least at one point) a Rails app, and still uses Ruby on the front end, makes me think this is likely a YAML vulnerability exploit. Can anyone confirm/rule this out?
I don't think they were vulnerable to that particular exploit. I know someone who ran the Metasploit Rails XML/YAML vulnerability scanner against Twitter.com almost immediately after its released, suspecting that they might be vulnerable. They were not.
The main site itself was very unlikely to be vulnerable, but support apps, internal apps, etc. are all vectors.
Seems like all they can do is match usernames to emails at this point, if the passwords were properly obfuscated.

Although... session tokens are gone, but could have been exploited during the window between the hack and the token purge, right?

See, this is where companies can now "game" HN. Instead of the the clearly more appropriate, "Twitter user accounts and password hashes compromised", we instead get, "Keeping our users secure".
Until some other blog puts the real deal in the headline and gets more upvotes, like this one:

http://news.ycombinator.com/item?id=5154415 - "Twitter Hacked, 250,000 User Accounts Potentially Compromised"

yeah, I actually submitted the link a minute or two after OP with a more descriptive title but it sent me here, and chances are it will hit the top with 500 or so anyhow.
I would have put a more descriptive title, but the moderators probably would have just changed it.

[edited to add] - downvoted? Seriously. That's hilarious.