Russian Hacker Selling Information of 32 Million Twitter Accounts, Report Says (zdnet.com) 54
An anonymous reader writes: The hacker who has links to the recent Myspace, LinkedIn, and Tumblr data breaches, is claiming to have obtained a database of millions of Twitter accounts. The data reportedly includes addresses, usernames, and plain-text passwords of 379 million Twitter accounts. The hacker, Tessa88, wants 10 bitcoins, or about $5,820 for the cache. On Wednesday, LeakedSource claimed that the real number of accounts was just under 33 million, which is more than 10 percent of Twitter's monthly active accounts. This follows the hacking of Mark Zuckerberg's Twitter and Pinterest accounts.
Re: (Score:3, Informative)
Yes to 1, no to 2.
Re: (Score:3)
Or just setup the automated emails...
Re: (Score:1)
You have to be a real asshole and psychopath to think that selling hacked accounts should get someone killed, but calling for the murder of a person should not get your comment modded down.
Re: (Score:3)
Seriously, find out who this guy is, arrest him, destroy his data, and execute him.
I assume you mean the idiot at Twitter who thought it was acceptable to store plain text passwords in a database. A server should never even see a plain text password. Passwords should be salted and encrypted in the browser, using SHA-256 or stronger, before being transmitted to the server.
Re: (Score:2)
Most of us have come to accept that black hats will never be punished, because on the internet it's very easy to involve multiple unfriendly countries in a crime, and when you put American and Russian agents on the same case it's very hard to get them to stop playing "my country has the biggest dick therefore I'm in charge" and start cooperating to catch the black hat. There's a subtle difference.
Re:Why do Slashdot users continually defend hacker (Score:4, Insightful)
It's as if Slashdot users approve and encourage this type of behavior. Why?
Because the solution to the problem is better security, not more ethical hackers. Hackers will hack, regardless of the severity of the punishment. How many hackers do you think will be dissuaded by stern disapproval from Slashdot?
Re: (Score:2)
I think most people here do not agree with the hacker's actions, however most of us probably think that people should stop voluntarily putting all their informations and their lives into public social networks. Yes the hacker is to blame, but all the users can be blamed too.
Is there any way to check if your own email... (Score:1)
...is on the list?
Or more generally, is there a reputable website that provides this service already?
Re: Is there any way to check if your own email... (Score:4, Informative)
There's no way to check if your account is on the Twitter account list. That would require knowing the list, which the hacker is selling.
In general, you should visit https://haveibeenpwned.com/ on occasion to see if your account data was breached.
Best practice is to have different passwords everywhere, so hackers can't use stolen passwords from one site to login to another site. This is one of the reasons selling accounts is profitable.
My opening bid: $0.32 (Score:2)
OK, let me make the opening bid. I'll give you $0.32 for all of 'em, since about 70% are probably dormant, another 20% are hooked up to broadcast services, 9% are chatbots, and the rest are probably morons for using easily-guessable passwords or falling victim to "data entry" phishing attacks.
Re: (Score:2)
Re: (Score:2)
It's a deal. I can give you 120,000 of them.
Ready for it? The most common password was "123456". [cnn.com]
That will be $38,400 please.
This could be a scam (Score:4, Interesting)
Someone claims this is a scam - the accounts were actually sourced from tumblr and linkedin leaks
https://jesterscourt.cc/member... [jesterscourt.cc]
Re: (Score:3)
Sourced and then tested... doesn't make it a scam.
Don't trust leakedsource.com (Score:2)
I paid those fuckers for access, never got one - all searches still return bare numbers without any data - "subscribe to see raw data".
My five (!) support requests remain unanswered (I sent the first one over four days ago).
It looks like they indeed have the leaked data, but they are not willing to share it with anyone.
Good thing... (Score:2)
It's a good thing I don't have Myspace, LinkedIn, and Tumblr accounts. Twitter? I think I got two of them I started a years ago. At the time I'm sure I had a reason. I get messages on two different email accounts from Twitter, so I figure I have the accounts.
Maybe I can go cancel them (if it's possible). I see no need for them whatsoever. Or am I missing something?
Re: (Score:2)
Wrong attribution (Score:3, Informative)
This isn't just Twitter (Score:3)
Re: (Score:2)
If it's true that the passwords have been harvested by malware which uploads the victim's browser's password cache, then this is not just Twitter. It's every site you use. The lesson, if you create websites which require authentication, outsource the authentication function to OpenID providers who have three factor authentication (e.g. Google) - or implement three factor authentication infrastructure yourself, which is not trivial.
Common Sense security mechanisms are trivial.
Getting the average user or even service provider to adopt it as a matter of default is another matter entirely.
We'll need the masses to have their identities stolen and force them to spend money on recovering their lives, reputations, and credit ratings before any real adoption is going to take place. Needless to say, the average ignorant user is gonna have to learn the hard way.
It's like dealing with a fucking teenager. They always know better, right up to th