Twitter Denies Site Hack in Reputed Account Credential Dump

Twitter told eWEEK its social network and microblogging site was not hacked and that many of the user names and passwords posted online were duplicates. Despite the denial, Twitter rushed out password resets to accounts that may have been compromised.

Twitter denied on May 9 that it was hacked in response to reports that thousands of passwords and user names had been stolen and posted online.

The statement comes in response to reports that some 58,978 user name and password combinations belonging to Twitter users were dumped online Monday in a series of postings to Pastebin. According to Twitter, thousands of the user names and passwords are duplicates, and many others do not belong to legitimate accounts.

€œWe've looked into this and can confirm that Twitter was not compromised,€ Twitter spokesperson Carolyn Penner told eWEEK in an email. €œFor extra precaution, yesterday, we pushed out password resets to accounts that may have been affected. For those who are concerned that their account may have been compromised, we suggest resetting your passwords and more in our Help Center.€

€œIt's worth noting that, so far, we've discovered that the list of alleged accounts and passwords found on Pastebin consists of more than 20,000 duplicates, many spam accounts that have already been suspended and many log-in credentials that do not appear to be linked (that is, the password and user name are not actually associated with each other),€ she added.

Penner would not say how many passwords were reset.

Michael Sutton, vice president of security research at Zscaler€™s ThreatLabZ, noted that social networking credentials can become €œvaluable currency€ in the cyber-underground and are often targeted by botnets and phishing campaigns.

€œSocial networking credentials are valuable because networks, such as Facebook and Twitter, represent trusted means of communication,€ he said. €œUnlike spam email, which is completely untrusted and could come from any source, messages from contacts that you've explicitly permitted into your personal network are considered trusted, and therefore links sent in such messages have a far higher click-through rate. This fact has not been lost on criminals who go to great lengths to harvest or purchase social networking credentials and then leverage the compromised accounts to social engineer victims into visiting malicious sites."

Kapil Raina, director of product marketing at Zscaler, noted that a compromised Twitter account could potentially be leveraged in other attacks.

€œA compromised Twitter account lends itself well to being able to do this sort of targeted Trojan broadcasting,€ he said. €œUsing short URLs, users are more apt to click on malicious links and get infected as they assume a tweet from a €˜trusted€™ source is legitimate. The ultimate goal generally is to use the compromised account as the beachhead for a more lucrative attack inside an organization.€