News that 58,000 Twitter usernames and passwords were posted online by a hacker claiming to be part of Anonymous really hits me where I live. I recently wrote about how I fell for the oldest social engineering trick in the book through a bogus tweet, and that's one of the ways this stuff happens.
It came in as a direct message on Twitter from Network World writer Brandon Butler, who sits in the next cube over from me at the office. He's a nice, mild-mannered chap, so when I got a tweet in his name, I opened the link without thought. Well, that's actually not true. I did have thoughts --based on his tweet:
"Hello somebody is saying very bad rumors about you... (URL removed)"
I've been in this profession for a long time, and have found myself on the receiving end of blistering criticism plenty of times. It's a simple byproduct of the job. And yet I had to know who was spreading bad rumors about me. And I had to know right that second!
I clicked the link and got a slow-loading site that ended in a request for my Twitter username and password. Another huge red flag. But someone was out there spreading rumors about me, you see, and I had to know what it was. So I plugged in my credentials.
As the screen of my Android froze up, I got the sinking feeling that I had just committed an act of supreme dumbness. By then, it was too late.
Soon after that, a friend on Twitter sent me this message:
"Guessing you didn't mean to post that..."
It turns out the bad guys started using my Twitter account to send out a variety of spam messages to friends, including the one I fell for.
I changed all my passwords for everything, and the Twitter madness ceased.
How much this latest incident has to do with social engineering remains to be seen, and Twitter claims there are over 20,000 duplicate usernames and passwords in that data as well as many spam accounts that have already been disabled and others where usernames and passwords don’t match. I suspect Twitter is ducking full responsibility for this, and I am seeing some grumblings out there that Twitter isn't encrypting passwords as vigorously as it should.
I've gotten some comments by email from security researchers about what may or may not have happened, and what the larger implications are. I'll share some of those comments now, and end my opining with the suggestion that we all change our passwords.
“Looks like we’re seeing something usual here -- real passwords, real accounts,” said Mark Bower, data protection expert and VP at Voltage Security. “Is Twitter not encrypting its passwords on the back end or are hackers in the Twitter cloud?” he asked.
"While Twitter is downplaying the quality of the accounts posted online, the credentials do appear to be legitimate,” said Michael Sutton, VP of Security Research at Zscaler ThreatLabZ. “The means by which they were harvested is still unknown, but social networking credentials have become valuable currency in the underground and are often the target of botnets and phishing campaigns. Social networking credentials are valuable because networks such as Facebook and Twitter represent trusted means of communication. Unlike spam email, which is completely untrusted and could come from any source, messages from contacts that you’ve explicitly permitted into your personal network are considered trusted and therefore links sent in such messages have a far higher click-through rate. This fact has not been lost on criminals who go to great lengths to harvest or purchase social networking credentials and then leverage the compromised accounts to social engineer victims into visiting malicious sites."
“The recent Twitter hack highlights that breaches are happening more frequently and the stakes are potentially very high,” said Eric Chiu, president & founder of HyTrust. “Not only can these Twitter accounts be accessed, but many people use the same credentials for multiple personal and work accounts. What happens a hacker breaches someone’s email account or corporate network? This could lead to identity theft, corporate data leaks, and more.”