How the latest twitter hack might be explained by past history

[Hydrogen]

May 3, 2018

Twitter has admitted that user passwords were briefly stored in plaintext and may have been exposed to the company's internal tools.

In a blog post, the microblogging site urged users to change their passwords.

"When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log," said Twitter in a statement.

Twitter didn't say how many accounts were affected, but Reuters reports -- citing a source -- that the number of affected users was "substantial" and that passwords were exposed for "several months."

It's unclear exactly why user passwords were stored in plaintext before they were hashed. Twitter said that it stores user passwords with bcrypt, a stronger password hashing algorithm, but a bug meant that passwords were "written to an internal log before completing the hashing process."

The company said it fixed the bug and that an investigation "shows no indication of breach or misuse" by anyone.

A spokesperson for Twitter reiterated that the bug "is related to our internal systems only," but it did not comment further.

A source familiar with the ongoing investigation told ZDNet that the internal log where user plaintext passwords were accidentally logged was found in an obscure place, and it's believed that the likelihood of someone finding it was low.

"Since this is not a breach and our investigation has shown no signs of misuse, we are not forcing a password reset but are presenting the information for people to make an informed decision about their account," said the spokesperson. "We believe this is the right thing to do."

The company had 330 million users at its fourth-quarter earnings in February.

Twitter is the second company to admit a password-related bug this week.

GitHub on Tuesday said it also exposed some users' plaintext passwords after they were written to an internal logging system.

It's not known if the two incidents are related, and a Twitter spokesperson would not comment in a follow-up email.

https://www.zdnet.com/article/twitter-says-bug-exposed-passwords-in-plaintext/

....


Google is confirmed for storing passwords in plaintext since 2005:  https://www.wired.com/story/google-stored-gsuite-passwords-plaintext/

Facebook also stores passwords in plaintext:  https://techcrunch.com/2019/03/21/facebook-plaintext-passwords/

The sad reality is, many tech and financial giants store passwords in plaintext which leaves accounts vulnerable.

As far as anyone knows, they continue to do so, years after the poor security practice was first made public knowledge: https://www.howtogeek.com/434930/why-are-companies-still-storing-passwords-in-plain-text/

[Hydrogen]

https://twitter.com/TwitterSupport/status/1283591846464233474


The latest update from twitter would appear to confirm it.

[uneng]

I'm shocked this kind of stuff is still happening after so many incidents. I see sites like twitter and facebook put so much improvements and efforts hunting *hate posts* and censoring users on their platforms who don't follow the mainstream points of view, that I ask myself: shouldn't they be putting the same effort at least to preserve their users integrity on their platforms?

I hope all those who were hacked sue twitter for such violation, and of course, that the hackers be caught as well.

[cryptoaddictchie]

https://twitter.com/TwitterSupport/status/1283591846464233474


The latest update from twitter would appear to confirm it.

So this move is planned including some of their employees. Twitter should investigate every single of those personnel they had, they are not sure whose the culprit Im not a negative thinker but I dont want to assume that even them could part of this. No one knows, how could a security breached instantly? Top executives of their firm might be considered as part of it.

I hope all those who were hacked sue twitter for such violation, and of course, that the hackers be caught as well.

This will be due process but I do hope they do, with money collected by this hacked this will not be tolerated by authorities and demand a response from Twitter. It might be hard to track identities of those hackers using blockchain but I wish they be caught.

[buwaytress]

The question that enters my mind here now though is, doesn't Jack Dorsey and others use 2FA? Or have the hackers figured out how to bypass that too? I actually have a super inactive Twitter account but I know if I access it from another device I have to 2FA. Don't even remember setting it up so it must have forced me to at some point.

[Debonaire217]

I kind of disagree to the statement where they said that they have found out a bug that the system is storing the password in plain text. Having a little knowledge about programming, it was intentional to have a line of code that mask, encrypt, or hash the password of the users in order to secure it in whatever database we are using. Finding a bug that see's the password means that their encryption isn't strong enough to hide the password in plain text or else, it was intentional to store it which decreases the reputation of the software, web development company. Though, it isn't necessary mean that encrypted password is always the solution to prevent frauds, they should also strengthen the encryption just like what hashes in bitcoin looks like. If I am not mistaken BTC uses SHA256 encryption, if this is possible, they might also use it for password, or even MD5 encryption just for the sake of preventing plain text password to show up.

Just a little bit of info, this isn't much topic related.

There are some questions such as how do the system could recognize if the password entered by the user is correct so that they could successfully log in?

The passwords are hashed once again, and looking up to the database, the system will just compare if the produced hash is the same as the stored password, but should not compare a direct plain text as password. This way, hacking will be prevented as it is way too impossible to brute force password with more than 10 characters long.

[Wexnident]

The question that enters my mind here now though is, doesn't Jack Dorsey and others use 2FA? Or have the hackers figured out how to bypass that too? I actually have a super inactive Twitter account but I know if I access it from another device I have to 2FA. Don't even remember setting it up so it must have forced me to at some point.

There were talks about having an insider with relation to the hacks. The situation inside the company must be heavy as hell. There were news about how the hacked accounts even completely changed the mobile numbers and email accounts linked, making retrieving them a lot harder than usual.

I kind of disagree to the statement where they said that they have found out a bug that the system is storing the password in plain text. Having a little knowledge about programming, it was intentional to have a line of code that mask, encrypt, or hash the password of the users in order to secure it in whatever database we are using. Finding a bug that see's the password means that their encryption isn't strong enough to hide the password in plain text or else, it was intentional to store it which decreases the reputation of the software, web development company. Though, it isn't necessary mean that encrypted password is always the solution to prevent frauds, they should also strengthen the encryption just like what hashes in bitcoin looks like. If I am not mistaken BTC uses SHA256 encryption, if this is possible, they might also use it for password, or even MD5 encryption just for the sake of preventing plain text password to show up.

Who knows whether they're stating the real problem or not? Seeing as how a lot of companies have already used the "plain text" bug so much in the past, they probably thought they could use it as well to avoid any problems with regards to publicity and the like. Plus, if the passwords were stored in plaintext, whenever the system crosschecks it, shouldn't it be a miss or something? Or is it that, there was a separate database where the said bug saves the plaintext records of passwords, but the system still hashes them to match to the stored hash in their database?

[kryptqnick]

It's unbelievable that the passwords were actually stored... I mean, it's not hard to hash them right away, is it? As for what happened in the current hack, from what I've read from official updates by Twitter on the situation is that the hackers got to employees accounts and managed to get access to some verified user accounts through that. Which also presupposes that employees of Twitter have some sort of privileged access to Twitter accounts of people like Musk and Obama, although they clearly shouldn't. Jack seems like a nice guy, but they gotta work on those vulnerabilities harder.

[davis196]

This topic (Google,Twitter and Facebook security measures and storing of passwords)has little or nothing to do with the discussions about Bitcoin.You should move it out of the Bitcoin discussion forum.
Anyway,I'm glad that I don't use Twitter and Facebook.I'm done with social media.
I was planning to delete my Google account but Gmail,Youtube,Drive and Google Sheets are so damn convenient. I guess I'll stay with Google.
The tech giants will surely take some measures to increase the security and prevent such massive hacks to happen again.

[cryptomaniac_xxx]

I think its not that the password are stored in plain text, it could be that the people involved used social engineering attacks like targeting Twitter employees through phishing, and then work they way up to get to the database crack the hash password and unleash in one go. And I am assuming that this is not a one day attack, it is a careful planning from the group of hackers, maybe months to filter out high value accounts before they made their moved.

[avikz]

I'm shocked this kind of stuff is still happening after so many incidents. I see sites like twitter and facebook put so much improvements and efforts hunting *hate posts* and censoring users on their platforms who don't follow the mainstream points of view, that I ask myself: shouldn't they be putting the same effort at least to preserve their users integrity on their platforms?

I hope all those who were hacked sue twitter for such violation, and of course, that the hackers be caught as well.

What made you think that twitter didn't upgrade their security systems? What made you think that hackers didn't upgrade their hacking knowledge? Why do you think that sueing Twitter will put an end to hacking?

Twitter employees around the world are working from home right now which is a big security challenge because all employees are using local ISPs. Obviously they are using VPN to connect to the office network, but that is not a fullproof security practice and may expose the network for breaching.

From my past experience in working with a top tier Global IT company, I can tell that such kind of hacking attacks are unprecedented you never know what flaws hackers will find in your system! However, we always look for the efforts they have taken to mitigate the threat after it is first noticed! I believe Twitter has done their best to mitigate the attack.

But one thing I must admit that the approach taken by the hackers to make money is very low IQ approach.

[Anonylz]

Am also speechless, can you imagine the number of high profile people whose twitter account has been compromise withing the same time frame! i sincerely don't want to believe that twitter failed to step up on security, if this is not the case, what then is the problem that hackers are gaining access to high profile account, one or two can be overlooked but more than that is really questionable,
i may not be a high profile person but i don't feel secure using twitter after this incidence, they should really do something about their security or whatever loopholes are there.

[Juggy777]

The question that enters my mind here now though is, doesn't Jack Dorsey and others use 2FA? Or have the hackers figured out how to bypass that too? I actually have a super inactive Twitter account but I know if I access it from another device I have to 2FA. Don't even remember setting it up so it must have forced me to at some point.

@buwaytress normally whenever I login in Twitter it instantly sends me a mail on my registered email id to confirm that it’s me, and I’m surprised that those guys failed to saw that mail, or if someone else manages their accounts then why didn’t that person login, and instantly secure their accounts?. Also since your account has been inactive for quite a while now, I would advise you to reset your password instantly even if you’re not actively using it.

Login verification is an extra layer of security for your account. Instead of relying on a password only, login verification introduces a second check to help make sure that you, and only you, can access your Twitter account. Only people who have access to both your password and your mobile phone (or a security key) will be able to log in to your account

Sources:

https://help.twitter.com/en/safety-and-security/account-security-tips

https://www.cnet.com/news/lock-down-your-twitter-security-settings-now/

[commander11]

May 3, 2018

Twitter has admitted that user passwords were briefly stored in plaintext and may have been exposed to the company's internal tools.

In a blog post, the microblogging site urged users to change their passwords.

"When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log," said Twitter in a statement.

Twitter didn't say how many accounts were affected, but Reuters reports -- citing a source -- that the number of affected users was "substantial" and that passwords were exposed for "several months."

It's unclear exactly why user passwords were stored in plaintext before they were hashed. Twitter said that it stores user passwords with bcrypt, a stronger password hashing algorithm, but a bug meant that passwords were "written to an internal log before completing the hashing process."

The company said it fixed the bug and that an investigation "shows no indication of breach or misuse" by anyone.

A spokesperson for Twitter reiterated that the bug "is related to our internal systems only," but it did not comment further.

A source familiar with the ongoing investigation told ZDNet that the internal log where user plaintext passwords were accidentally logged was found in an obscure place, and it's believed that the likelihood of someone finding it was low.

"Since this is not a breach and our investigation has shown no signs of misuse, we are not forcing a password reset but are presenting the information for people to make an informed decision about their account," said the spokesperson. "We believe this is the right thing to do."

The company had 330 million users at its fourth-quarter earnings in February.

Twitter is the second company to admit a password-related bug this week.

GitHub on Tuesday said it also exposed some users' plaintext passwords after they were written to an internal logging system.

It's not known if the two incidents are related, and a Twitter spokesperson would not comment in a follow-up email.

https://www.zdnet.com/article/twitter-says-bug-exposed-passwords-in-plaintext/

....


Google is confirmed for storing passwords in plaintext since 2005:  https://www.wired.com/story/google-stored-gsuite-passwords-plaintext/

Facebook also stores passwords in plaintext:  https://techcrunch.com/2019/03/21/facebook-plaintext-passwords/

The sad reality is, many tech and financial giants store passwords in plaintext which leaves accounts vulnerable.

As far as anyone knows, they continue to do so, years after the poor security practice was first made public knowledge: https://www.howtogeek.com/434930/why-are-companies-still-storing-passwords-in-plain-text/

Code:

  No wonder they will be replaced by security-oriented social media giants, web 3.0 sooner or later. 

This isn't surprising at all since they are using centralized server to store up their users' data.
By having it in a centralized server, even a hashed (encrypted) data still vulnerable to malicious attacks when [1] there are bugs [2] before hashing (in plain text) [3] when the server is compromised.

[The Sceptical Chymist]

I see sites like twitter and facebook put so much improvements and efforts hunting *hate posts* and censoring users on their platforms who don't follow the mainstream points of view, that I ask myself: shouldn't they be putting the same effort at least to preserve their users integrity on their platforms?

That censorship of so-called hate posts (or whatever they're really called) is complete BS IMO, but I understand that Twitter and FB have to cave in to their advertisers' whims.  Such is the world we're living in right now, but that doesn't mean they can't do that and improve security at the same time.  And yeah, it does blow my mind as well that these large companies are still leaving their users' data vulnerable to attacks by hackers. 

So glad I don't use social media sites anymore, and not just because of the fear of my info ending up in the wrong hands. 

[Loomely]

Investigations are still underway to confirm how to do such hack happen
it is easy to note that it is not a hacking in the database, but access to sensitive data through admin powers, so it is likely that they were able to hack the computers of some workers who have access to sensitive data.

It is one of the drawbacks of working from home and employees may not have checked the links before clicking on them.
The attack is a scandal in every sense of the word.

[uneng]

What made you think that twitter didn't upgrade their security systems? What made you think that hackers didn't upgrade their hacking knowledge? Why do you think that sueing Twitter will put an end to hacking?

Well, the content presented by this thread made me think giants like twitter aren't putting enough effort to keep their users safe, besides other informations I see around since years ago regard facebook leaking data and so on.
If affected users felt morale damaged they can sue the company of course. It won't put an end to hacking, but it will put some pressure on the company to priorize the platform's security, what I think very reasonable considering the recurrent leaks and the hypothesis they aren't storing users data safely:

The sad reality is, many tech and financial giants store passwords in plaintext which leaves accounts vulnerable.

I understand employees are working from home, that can make the job harder and safety measures more complicated and delicated, but it can't be an excuse. They are supposed to offer better services for being on the spot they are among all social medias platforms. They are also supposed to handle problems faster:

“Twitter's response to this hack was astonishing. It's the middle of the day in San Francisco, and it takes them five hours to get a handle on the incident,” said Dan Guido, CEO of security company Trail of Bits.

https://www.malaymail.com/news/tech-gadgets/2020/07/16/twitter-hacking-spree-alarms-experts-concerned-about-the-platforms-security/1885066

I see sites like twitter and facebook put so much improvements and efforts hunting *hate posts* and censoring users on their platforms who don't follow the mainstream points of view, that I ask myself: shouldn't they be putting the same effort at least to preserve their users integrity on their platforms?

Such is the world we're living in right now, but that doesn't mean they can't do that and improve security at the same time.

True.

[Tipstar]

Now they are claiming that it's an insider job. Someone working on twitter was involved in it. The passwords were to be encrypted even for the twitter employee but the person got a way to store a large amount of twitter passwords over a long period of time and exploited it now for maybe some internal issue or an external influence. It's a real sabotage on twitter and they got twitter in the weak spot this time.

[hatshepsut93]

https://twitter.com/TwitterSupport/status/1283843495354970114

We have no evidence that attackers accessed passwords. Currently, we don’t believe resetting your password is necessary.

Currently everything and everyone suggests that some employees were hacked or went rogue, which granted hackers access to the internal tools which grant permission to tweet on behalf of any user. If plaintext passwords were stolen, the attack would still go on, because there was no mass password reset.

[pixie85]

Now they are claiming that it's an insider job. Someone working on twitter was involved in it. The passwords were to be encrypted even for the twitter employee but the person got a way to store a large amount of twitter passwords over a long period of time and exploited it now for maybe some internal issue or an external influence. It's a real sabotage on twitter and they got twitter in the weak spot this time.

If it was available to all staff in a log there's probably no way to find out who did it. If he was smart he could write down the passess that he needed on a piece of paper without ever copying or sending them anywhere from his computer.

Whether it was a hack or an inside job it still looks bad for the company but maybe it will be a wakeup call for people who store valuable information with companies like google, facebook, tweeter youtube or instagram. All of them can sell or leak your data and say they were hacked.