Twitter Security Flaw Leveraged to Steal User Accounts
Twitter doesn't limit the number of login attempts per account.
BuzzFeed's John Herman reports that Twitter user Daniel Dennis Jones recently found that his @blanket Twitter account had been compromised and offered for sale online.
"He was eventually able to log back into the account, but found that his username had been changed to @F*ckMyAssHoleLO (I can only assume the last 'L' got truncated), and that @blanket was now operated by someone else," Jones writes. "His account, in other words, had clearly been hacked."
"Jones did a little online digging to find his name with a bunch of other sought-after names on a site called ForumKorner, which is where his and other Twitter handles, some of which have been illegally obtained, are being sold," writes Gizmodo's Leslie Horn.
"He found that some of these rare handles were sold for around $100, while others were simply given away by the attackers to their friends," writes Softpedia's Eduard Kovacs.
"So how are these hackers able to break into Twitter accounts so easily? In turns out that Twitter only prevents a large number of login attempts based on the IP address, rather than on a per-account basis," writes SlashGear's Craig Lloyd. "So, the hackers simply use a program that constantly attempts to log in with different common passwords using different IP addresses after every several attempts."
"The moral of the story? Twitter needs to fix this hole ASAP," writes Complex Tech's Damien Scott. "In the meantime, if you have what may be an 'OG' Twitter name -- one with a singular word, like 'blanket' -- you should change your password to something more complicated."