Yesterday, a gigantic leak of over 55,000 account credentials (usernames and passwords) from Twitter were leaked to Pastebin by an unknown benefactor. According to a CNET article on the event, Twitter is looking into the problem right now—and, after some investigation, found some oddities in the list. The first to break the story was the blog AirDemon.net—who posited that Twitter had been hacked, putting a multitude of users’ security at risk.
“We are currently looking into the situation. In the meantime, we have pushed out password resets to accounts that may have been affected,” Twitter spokesman Robert Weeks told CNET in an e-mail. “For those who are concerned that their account may have been compromised, we suggest resetting your passwords and more in our Help Center.”
So far it looks like there have been almost 20,000 duplicates identified by Twitter, a multitude of suspended spam-accounts, amidst a mishmash of what looks like the fallout of random usernames and credentials.
Right now we’re guessing that Twitter itself didn’t get hacked: but perhaps it was a Twitter spambot network instead.
“It’s worth noting that, so far, we’ve discovered that the list of alleged accounts and passwords found on Pastebin consists of more than 20,000 duplicates, many spam accounts that have already been suspended, and many log-in credentials that do not appear to be linked (that is, the password and username are not actually associated with each other),” Weeks said.
Looking at the list produces a keen sense of vertigo as many of the passwords look extremely complex and the user-ids have a common random factor to them. A typical password dump would have a greater variety of passwords—especially a huge number of weak passwords, in fact we’ve seen from exemplars from previous dumps this should always be the case for humans. This has led a general suspicion amidst the security community that they’re all part of a Twitter spambot network.
Looking at the lists, the beginning of the list appears to be obvious generated credentials with random characters, randomized names, and robust passwords; but when it passes into the section where e-mail addresses are the usernames it begins to look a lot more human. However, a random-pick search for some of the e-mails brings up an old LulzSec leak from 2011 June 16 of 62,000 passwords leaked from unknown sources.
What can we expect?
Perhaps we’re either seeing a whitehat hacker trying to reveal a spambot network on Twitter and give the service a chance to quash it; or we could be seeing one spambot group sticking out against their competition to help weed them out. After all, the spam criminal space is extremely over-phished and thus not very profitable, knocking out some of the competition by leaking them to the “authorities” would be a good way to kick them in the teeth.
Of course, if I continue to randomly pick e-mail addresses from the leaks and they continue to pull back that old 2011 LulzSec leak; perhaps we’re seeing someone just re-leaking from the unknown sources that LulzSec received them from.
SiliconANGLE will update as more facts appear from this case.