Twitter Breached, 50K Accounts Posted to Internet

Twitter said Wednesday that it is continuing to investigate an apparent data breach that resulted in more than 50,000 user names and passwords being posted to the Internet.

The data was posted across five pages (one, two, three, four, five) on Pastebin, a favorite site for hackers to post their ill gotten gains. Ordinarily, when large files are involved, data thieves “tease” their exploits at the site and include a link to a site, like BitTorrent, which supports large file downloads. The maximum file size for Pastebin is 512 KB.

Twitter is downplaying the leak because much of the information posted to Pastebin appears to be garbage. There are some 20,000 duplicates, many of the accounts belong to suspended spammers and some of it consists of “unlinked” information, information where the user name doesn’t correspond to the password paired with it.

In addition, there’s evidence that some of the accounts are duds created by robot programs. An analysis of a random selection of 20 accounts performed by Hacker News revealed that none had more than six followers, all that weren’t suspended were following thousands of people, all had similar passwords that looked auto-generated and many had unanswered messages asking them to confirm their email addresses.

Another hacker, Adrian Lamo—infamous for informing on Bradley Manning, the G.I. who leaked thousands of sensitive U.S. government documents to WikiLeaks—rapped the quality of the leak. “These files dated back to circa early-to-mid 2011, demonstrating that if a compromise had taken place, it was not recent, and quite possibly/probably not one involving Twitter,” he wrote on his Facebook page.

“They contain no e-mail addresses belonging to sensitive domains, they do not include Twitter staff, notably they don’t include me, quite possibly the most hated ex-hacker alive in the eyes of the hacker community, and they in fact seem quite random,” he observed.

“I’ve seen lists like these before,” he continued, “and, without exception, fragments of this list are what I’d expect from a collection of phished passwords sewn together into a larger list, freshened up a bit to obscure their antiquity, and presented as something new and newsworthy.”

According to a Twitter spokesperson, the company is pushing password resets to affected accounts. Meanwhile, the microblogging service is searching for answers about who leaked the account information and why they did it.

It is ironic that so many of the accounts apparently belong to spammers, since last month Twitter trumpeted its efforts to combat spam on the service by filing a lawsuit against five of the most aggressive spammers and spam tool makers targeting the microblogging site.

How the account information was obtained by the data thief is also important to Twitter, since it is operating under an agreement with the U.S. Federal Trade Commission to protect its members’ privacy. That agreement was finalized last year and stemmed from two hacking attacks on the service in 2009 where some high profile Twitter members, including President Obama, lost control of their accounts.

Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.