Modernizing Authentication — What It Takes to Transform Secure Access
Twitter is currently investigating the recent publication of thousands of user passwords on Pastebin.
"The user data, so vast that it took five Pastebin pages to post, was released yesterday and blogged about on Airdemon.net, putting the number of accounts affected at 55,000 or more," writes CNET News' Elinor Mills. "It's unclear who posted the data, and why."
"On Tuesday, Twitter stated that the claims are mainly bogus and that the posted details were duplicate information, or simply user names and passwords for suspended spam Twitter accounts, and mainly included incorrect login details, rendering them useless," writes Digital Journal's Anne Sewell.
"Based on Twitter's estimate of the number of invalid accounts contained in the data dump, and with the social network claiming to now have over 140 million active users, the breach would have affected about 0.02 percent of its user base," notes InformationWeek's Mathew J. Schwartz.https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
"Yesterday a user commenting at Hacker News claimed he saw some of the listed accounts, and they smelled of spam: they had 3-6 followers but were following thousands of people (as a general rule of thumb, the more you follow, the more who follow back)," writes PCMag.com's Sara Yin. "Furthermore most of the passwords were complicated, alphanumeric combinations rather than popular human-generated passwords like 'monkey' and '12345.'"
What's more, ESET's Anders Nilsson suggests that the data may not have been stolen from Twitter's servers. "[Almost] 95 percent of the country-specific e-mails are from Brazil (.com.br)," he writes. "And of the '55,000' accounts, about 9,000 seem to be Twitter-spam accounts. I think this is probably the result of either a leak of a big Brazilian hacked website, or a Brazil-targeted phishing, combined with 9,000 Twitter-spam accounts."
"According to the company, affected Twitter users should have already received a notification email that their passwords have been reset," The H Security reports. "These users are also advised to check which apps have been authorised to access their Twitter account and revoke the access of any unknown programs or services; this can be done by logging into Twitter.com and going to Settings > Apps."