A hacker from Mauritania says he has gained access to a substantial trove of Twitter login details, which he has published online. The haul doesn’t include passwords, but now would be a good time to revoke the access of third-party apps to your Twitter account (before re-establishing that access as needed).
The hacker, who goes by the name of Mauritania Attacker, leaked just over 15,000 account details early on Tuesday through the file-sharing service Zippyshare. However, the Indian security site Techworm said it had interviewed him, and he apparently claimed to have access to the “entire database of users on Twitter.”
Tokens, but no passwords
The plain-text file that Mauritania Attacker published included Twitter user IDs and the associated OAuth tokens that are used to connect Twitter accounts to third-party services without having to reveal the user’s password to those services. However, this information in itself can help miscreants gain limited access to people’s accounts if they run the right script.
It is not clear right now whether Mauritania Attacker did actually get these details from Twitter’s systems or whether he hacked into a third-party service that connects to people’s Twitter accounts. It is far more likely that he hacked a third party — the alternative would be that he broke into Twitter’s authentication server, which is “possible but unlikely,” security expert Alan Woodward, of the University of Surrey in the UK, told me.
Woodward said the format of the tokens in the plain-text file looked “plausible.” He added that they probably wouldn’t give attackers full access to users’ accounts, but might make it possible to tweet under the victim’s name.
While users probably don’t need to change their passwords, Woodward suggested that there are defensive steps that can be taken:
“Personally, I do regular housekeeping where I go into the Apps settings of Twitter and delete the third party apps that have access. The reason is that at present Twitter OAuth tokens once issued do not expire. You have to manually revoke them… So, I think best thing one could [do] is to go in and revoke third party’s apps rights and then just relogin when/if you want to reaccess Twitter via that app. This way a new token will be issued.”
Mauritania Attacker has recently gained coverage for his stance as a “non-extremist” Islamist hacker. The collective he founded, AnonGhost, has attacked and defaces thousands of domains in the last year or so, largely those belonging to American and British firms and the oil industry.
A Twitter spokewoman told me on Tuesday morning that the firm was “currently looking into the situation.”