7 Comments

Summary:

The details, which appear to be genuine, do not include passwords. They do include OAuth tokens, though, so Twitter users should probably revoke and re-establish access to connected third-party apps.

Security-binary numbers

A hacker from Mauritania says he has gained access to a substantial trove of Twitter login details, which he has published online. The haul doesn’t include passwords, but now would be a good time to revoke the access of third-party apps to your Twitter account (before re-establishing that access as needed).

The hacker, who goes by the name of Mauritania Attacker, leaked just over 15,000 account details early on Tuesday through the file-sharing service Zippyshare. However, the Indian security site Techworm said it had interviewed him, and he apparently claimed to have access to the “entire database of users on Twitter.”

Tokens, but no passwords

The plain-text file that Mauritania Attacker published included Twitter user IDs and the associated OAuth tokens that are used to connect Twitter accounts to third-party services without having to reveal the user’s password to those services. However, this information in itself can help miscreants gain limited access to people’s accounts if they run the right script.

It is not clear right now whether Mauritania Attacker did actually get these details from Twitter’s systems or whether he hacked into a third-party service that connects to people’s Twitter accounts. It is far more likely that he hacked a third party — the alternative would be that he broke into Twitter’s authentication server, which is “possible but unlikely,” security expert Alan Woodward, of the University of Surrey in the UK, told me.

Woodward said the format of the tokens in the plain-text file looked “plausible.” He added that they probably wouldn’t give attackers full access to users’ accounts, but might make it possible to tweet under the victim’s name.

Good housekeeping

While users probably don’t need to change their passwords, Woodward suggested that there are defensive steps that can be taken:

“Personally, I do regular housekeeping where I go into the Apps settings of Twitter and delete the third party apps that have access. The reason is that at present Twitter OAuth tokens once issued do not expire. You have to manually revoke them… So, I think best thing one could [do] is to go in and revoke third party’s apps rights and then just relogin when/if you want to reaccess Twitter via that app. This way a new token will be issued.”

Mauritania Attacker has recently gained coverage for his stance as a “non-extremist” Islamist hacker. The collective he founded, AnonGhost, has attacked and defaces thousands of domains in the last year or so, largely those belonging to American and British firms and the oil industry.

A Twitter spokewoman told me on Tuesday morning that the firm was “currently looking into the situation.”

You’re subscribed! If you like, you can update your settings

  1. Wayne Smallman Tuesday, August 20, 2013

    So it’s a publicity stunt to gain some attention for his AnonGhost group? If it is, it’s a misguided, and I mean that in a very literal sense because why not go after “American and British firms and the oil industry” instead of the low hanging fruit that is the general public, or is that too difficult for him?

    1. Twitter is an American firm.

  2. Islamist hacker? What does that mean exactly?

    1. A hacker who professes (peaceful) Islamist goals.

      1. Yeah, in writer’s head, that is.

  3. What platforms are affected by this ? Android , WP8 . iOs , windows , MacOSX etc ..

  4. how can I hack without downloading software to download ?

Comments have been disabled for this post