Twitter Denial of Alleged Site Hack Leaves More Questions Than Answers

 
 
By Wayne Rash  |  Posted 2012-05-09 Email Print this article Print
 
 
 
 
 
 
 

The question of the day is where the hacker group Anonymous got that list of nearly 60,000 names and passwords since Twitter says it wasn't from them. Or was it some wannabe hacker who got decoyed by a stash of phony data?

The reports this week that the hacker group Anonymous somehow managed to extract nearly 60,000 user names and passwords from Twitter and subsequently post them online are raising more questions than there are answers available.

Clearly, someone or some group got a list of names and passwords that are purported to be from Twitter. This list of names appeared on Pastebin.com on Tuesday, put there by an anonymous user.

But when you look at those alleged user names and passwords, the contents of the list itself raise questions, regardless of whether the group Anonymous obtained them or whether it was someone else just preferring to remain anonymous. When you look at the lists (they're here: 1 2 3 4 5) you'll notice a couple of important characteristics, such as that virtually none of the passwords matches the 25 most popular passwords of 2011.

Of course, a few here and there match the top 25, but only a few. If this had been a real list of users and passwords, the expectation would be for a very high percentage. Instead, nearly all of them qualify as strong, hard (or impossible) to remember passwords€”something highly unlikely.

The next thing you'll notice on the list is that nearly all of the email addresses are from free services such as Hotmail or Gmail. Only a tiny percentage appears to be real email addresses. If this were a list of real Twitter users, you'd expect a higher ratio of addresses from other types of Internet providers and companies.

So even without Twitter's comment that the list is bogus, it's possible to tell from a close examination of the list that the chances of it being real are vanishingly small. But add that to the fact that apparently 20,000 of the entries on the list are duplicates and most of the rest are users who have been bounced from Twitter, and you have to wonder exactly where this list came from.

There is speculation that Anonymous is retaliating against Twitter for bouncing spammers. But I don't think this is the case. For one thing, the folks who are associated with Anonymous aren't dumb. They can look at a list like this and see that it's clearly fake.

This raises the question of whether the hacker group Anonymous was even involved at all. I suspect it wasn't, if only because the group wouldn't have made a mistake this basic. Instead, I think that the fact that the person who posted the list is anonymous in the lower case sense shows they just don't want anyone to know who they are.

 
 
 
 
Wayne Rash Wayne Rash is a Senior Analyst for eWEEK Labs and runs the magazine's Washington Bureau. Prior to joining eWEEK as a Senior Writer on wireless technology, he was a Senior Contributing Editor and previously a Senior Analyst in the InfoWorld Test Center. He was also a reviewer for Federal Computer Week and Information Security Magazine. Previously, he ran the reviews and events departments at CMP's InternetWeek.

He is a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine. He is a regular contributor to Plane & Pilot Magazine and The Washington Post.
 
 
 
 
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel