The reincarnation of LulzSec—a now disbanded hacker Internet-mayhem group who ruled the cyberseas and media for a portion of last year—has surfaced with a notable leak of Twitter authentication belonging to users who signed up for TweetGif, an animated GIF-sharing application. The group “LulzSec Reborn” published a .SQL file on Pastebin.org containing a staggering amount of detail about the user accounts.
According to an article at PCMag, the file contains a trove of information:
The file contained an unusually detailed trove of information on each member: usernames, passwords, real names, locations, bios, avatars, secret tokens used to authenticate TweetGif to pull Twitter data, and even their last tweet. The hackers’ motivations are unclear at this point; an announcement posted on Pastebin merely linked to a destination for people to download the .SQL file.
The Pastebin announcement links to the destination file, which appears to be a dump of a SQL database table: “users.” As mentioned in the PCMag article, the table includes a lot of unexpected information alongside usernames, passwords, a “realname,” encoded location information, and the secure tokens that TweetGif uses to access accounts on Twitter.
It’s important to note that allowing an external application access to Twitter does give it a lot of information about your account and we’re seeing the fallout from this. As a result, it’s important to vet the site that you permit access. In this case, the hackers broke into TweetGif and stole data regarding its connection to Twitter and not Twitter themselves.
Users who use TweetGif potentially stung in this will still want to change their passwords; although there’s little analysis of if the password hashes in the database dump can be exchanged for Twitter passwords or not.
LulzSec Reborn appeared in March 2012 after the FBI and other national organizations began sweeping up the remnants of now-defunct LulzSec. During that same time, the erstwhile original leader of LulzSec, Sabu, was revealed to be an FBI turncoat who sold out his fellow members to law enforcement. During their initial publicity (and some hacks) they trumpeted that they’re the return of the original LulzSec. Many industry experts, such as Sara Yin from F-Secure, have cast doubts on the likelihood that LulzSec Reborn has any member connections to the original LulzSec in the first place.
There may yet be the chance that they’ve gotten their hands on older LulzSec archives, as we’ve seen a recent May 2012 leak of 55,000 Twitter passwords that in-part matched an old LulzSec leak from 2011.