Twitter breached, 50,000 accounts posted to Internet

Most of the private account data is garbage, experts say

Twitter is investigating an apparent data breach that resulted in more than 50,000 user names and passwords being posted to the Internet. The data was posted across five pages (one, two, three, four, five) on Pastebin, a favorite site for hackers to post their ill-gotten gains. Ordinarily, when large files are involved, data thieves "tease" their exploits at the site and include a link to a site, like BitTorrent, that supports large file downloads. The maximum file size for Pastebin is 512KB.

Twitter is downplaying the leak because much of the information posted to Pastebin appears to be garbage. There are some 20,000 duplicates, many of the accounts belong to suspended spammers, and some of it consists of "unlinked" information, information where the user name doesn't correspond to the password paired with it.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and Security Central newsletter, both from InfoWorld. ]

In addition, there's evidence that some of the accounts are duds created by robot programs. An analysis of a random selection of 20 accounts performed by Hacker News revealed that none had more than six followers, all that weren't suspended were following thousands of people, all had similar passwords that looked auto-generated, and many had unanswered messages asking them to confirm their email addresses.

Another hacker, Adrian Lamo -- infamous for informing on Bradley Manning, the G.I. who leaked thousands of sensitive U.S. government documents about military abuses in Iraq to WikiLeaks -- rapped the quality of the leak. "These files dated back to circa early to mid 2011, demonstrating that if a compromise had taken place, it was not recent, and quite possibly/probably not one involving Twitter," he wrote on his Facebook page.

"They contain no email addresses belonging to sensitive domains, they do not include Twitter staff, notably they don't include me, quite possibly the most hated ex-hacker alive in the eyes of the hacker community, and they in fact seem quite random," he observed.

"I've seen lists like these before," he continued, "and, without exception, fragments of this list are what I'd expect from a collection of phished passwords sewn together into a larger list, freshened up a bit to obscure their antiquity, and presented as something new and newsworthy."

According to a Twitter spokesperson, the company is pushing password resets to affected accounts. Meanwhile, the microblogging service is searching for answers about who leaked the account information and why they did it.

It is ironic that so many of the accounts apparently belong to spammers, since last month Twitter trumpeted its efforts to combat spam on the service by filing a lawsuit against five of the most aggressive spammers and spam tool makers targeting the microblogging site.

How the account information was obtained by the data thief is also important to Twitter, because it is operating under an agreement with the U.S. Federal Trade Commission to protect its members' privacy. That agreement was finalized last year and stemmed from two hacking attacks on the service in 2009 where some high-profile Twitter members, including President Barack Obama, lost control of their accounts.

Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.

This story, "Twitter breached, 50,000 accounts posted to Internet" was originally published by PCWorld.