Twitter accounts were up for sale before hack

[piratemonkey]

Summary

Before the hack on 130 Twitter accounts, there was an ad on OGUsers to buy an account for 2500$. That site is dedicated to selling and buying 'og' accounts on social media platforms. Twitter has said that the first accounts compromised were those that have 1-2 letter handles. 

 

Quotes

Quote

 Before a hacking campaign tore through Twitter and compromised some of its most high-profile users, an ad went up on a gray market site that facilitates the trade of user accounts for many popular websites including Twitter. 

 

For $250 in digital currency, the seller promised they’d reveal the email linked to a Twitter account. And for $2,500, the buyer would get the account itself - satisfaction guaranteed.

“You will be given a full refund if for any reason you aren’t given the email/@,” the poster said, describing the Twitter account with an @ sign.

 

My thoughts

 I think Twitter done goofed. From what I can tell, someone accessed internal tools through a vulnerability in an API, or the site, and could access accounts with it. I feel like there should've been a password or an additional verification step before those tools could be used. 

I also think that this could hurt Twitter's reputation, especially in politics. If someone accessed (for example) Joe Biden's account and tweeted that he was dropping out of the presidential race, that would be really bad. 

 

Sources

 https://www.reuters.com/article/us-twitter-cyber-hackers/before-hack-tore-through-twitter-online-forum-offered-accounts-for-sale-idUSKCN24H3HO

 

(This was my first tech news post, please be kind in criticism :))

[dogwitch]

am not surprise. i already reported a user bug. in beta testing  site features. that allowed me to view other user post . near admin lvl.

they fix it. but how that even got out the beta access idk

[Salv8 (sam)]

i saw this and genially thought about buying and posting on the official Nintendo US twitter account that we would not add geno into smash and a bunch of other Nintendo memes.

[piratemonkey]

1 minute ago, dogwitch said:

am not surprise. i already reported a user bug. in beta testing  site features. that allowed me to view other user post . near admin lvl.

they fix it. but how that even got out the beta access idk

Jeez. That's smh worthy

 

1 minute ago, Salv8 (sam) said:

i saw this and genially thought about buying and posting on the official Nintendo US twitter account that we would not add geno into smash and a bunch of other Nintendo memes.

*Insert some warning how that would be bad, and impossible as the person selling accounts was since banned in that forum*

[Salv8 (sam)]

Just now, piratemonkey said:

*Insert some warning how that would be bad, and impossible as the person selling accounts was since banned in that forum*

there are other ways...

plus it didn't do it, wasn't worth the trouble for like, 15 mins of fun.

[piratemonkey]

2 minutes ago, Salv8 (sam) said:

there are other ways...

Sure, a strange lady in a swamp can give you a sword, but it isn't likely

[mockedarche]

There was a huge thing I think in 2018 about how a vast majority of passwords were plaintext. Im not surprised it seems twitter really doesn't do security that well.

[piratemonkey]

1 minute ago, Ohsnaps said:

There was a huge thing I think in 2018 about how a vast majority of passwords were plaintext. Im not surprised it seems twitter really doesn't do security that well.

Really?

I know that some sites still use plaintext, but I doubt twitter would be that dumb

[mockedarche]

Just now, piratemonkey said:

Really?

I know that some sites still use plaintext, but I doubt twitter would be that dumb

https://www.theverge.com/2018/5/3/17316684/twitter-password-bug-security-flaw-exposed-change-now

[piratemonkey]

2 minutes ago, Ohsnaps said:

https://www.theverge.com/2018/5/3/17316684/twitter-password-bug-security-flaw-exposed-change-now

The thing with that was that it was a bug causing passwords to not be hashed. They weren't stored in plaintext due to ignorance. 

But still, it says something (not sure what tho) about Twitter's backend and security

[eGetin]

26 minutes ago, piratemonkey said:

I think Twitter done goofed. From what I can tell, someone accessed internal tools through an API, or maybe even the site, and could access accounts with it. I feel like there should've been a password or an additional verification step before those tools could be used.

I'm pretty sure they have all the steps in place, but security is a lot more than just a single password field. They most likely have had a bug in the system that the hackers could have exploited and therefore gained access to the tools.

1 minute ago, Ohsnaps said:

https://www.theverge.com/2018/5/3/17316684/twitter-password-bug-security-flaw-exposed-change-now

So they didn't store passwords in plaintext as someone would think but instead accidentally had a code line logging the passwords before encrypting and storing them in the database. That may happen after a long debugging session and others don't catch it in the code review for a reason of another.

[piratemonkey]

1 minute ago, eGetin said:

I'm pretty sure they have all the steps in place, but security is a lot more than just a single password field. They most likely have had a bug in the system that the hackers could have exploited and therefore gained access to the tools.

Whoops meant to say it was a bug. 

What I mean with the password is that (in the future) there should be another verification step in order to prevent an attack from an outside source, or at least make it harder. 

[eGetin]

1 minute ago, piratemonkey said:

Whoops meant to say it was a bug. 

What I mean with the password is that (in the future) there should be another verification step in order to prevent an attack from an outside source, or at least make it harder. 

The thing with security is, that you may have as many verification steps as you'd like but it's still possible to have ways to get around them. Security can be though of as an onion. It has many layers and authentication layer is only one of them. I wouldn't be surprised if Twitter also has limited the internal tools to their internal network but they may have some flaws in their VPN implementation or elsewhere. It'll be interesting to hear what was the main reason for this event because it might not have been only a simple authentication bypass.

[Trik'Stari]

*wrong thread, please delete.

[soldier_ph]

Even Though my Twitter accounts Password is 99 characters long and I have setup 2FA via the Google Authenticator App, I just reset it's Password. All of my Passwords are stored in my Password manager LastPass. I reset every Password on every and all of my accounts at least every 6 Months. Don't give them any chances and stay safe out there !

[piratemonkey]

9 hours ago, Trik'Stari said:

*wrong thread, please delete.

If you read what was here I misunderstood lol

 

2 hours ago, Pascal... said:

Even Though my Twitter accounts Password is 99 characters long and I have setup 2FA via the Google Authenticator App, I just reset it's Password. All of my Passwords are stored in my Password manager LastPass. I reset every Password on every and all of my accounts at least every 6 Months. Don't give them any chances and stay safe out there !

Good job. I need to reset passwords now, thanks for reminding me lol

Edited July 17, 2020 by piratemonkey
Misunderstood a person