How the latest twitter hack might be explained by past history

[bearexin]

That has been the issue for years now, a lot of companies are storing user passwords in plain texts. That’s the reason why it’s good to use different passwords for each website you’re signing up for, that way you wouldn’t have to worry much. When one website is hacked and your password compromised, you wouldn’t have to worry too much about it because you know for sure that those hackers won’t be able to access other websites you have created an account on.

[1715017463]

1715017463

[1715017463]

1715017463

[ReiMomo]

That has been the issue for years now, a lot of companies are storing user passwords in plain texts. That’s the reason why it’s good to use different passwords for each website you’re signing up for, that way you wouldn’t have to worry much. When one website is hacked and your password compromised, you wouldn’t have to worry too much about it because you know for sure that those hackers won’t be able to access other websites you have created an account on.

But the story of Twitter hacked last day is not all about the password guessing. It is through their support and they called it social engineering attack and theymos explained it very well on this post.

Twitter called it a "social engineering attack", which makes me think that it was something simple like: the attacker called Twitter support, said, "Hey, it's <Elon Musk / Bill Gates / etc.>. Wouldn't you know it, I lost my 2FA device and my password. Could you help me?" And then the Twitter support person was like, "Sure, just give me your birthday for verification and I'll have this fixed right away, sorry for the inconvenience!"

So hacker didn't targeted the low profile twitter account of random people. Hacker chooses those high profile accounts to lure people to deposit bitcoin and hoping it will double in just 30 minutes as what the tweet said.

[kemoglo]

I'm shocked this kind of stuff is still happening after so many incidents. I see sites like twitter and facebook put so much improvements and efforts hunting *hate posts* and censoring users on their platforms who don't follow the mainstream points of view, that I ask myself: shouldn't they be putting the same effort at least to preserve their users integrity on their platforms?

I hope all those who were hacked sue twitter for such violation, and of course, that the hackers be caught as well.

It's what happens when "tech giants" are built around popularity instead of solid foundations. These guys made much more money that they ever dreamed of and give no fucks in the world about the people they so easily sell to their real customers.

It's really messed up out there man.

[rexxarofmoknathal]

https://twitter.com/TwitterSupport/status/1283843495354970114

We have no evidence that attackers accessed passwords. Currently, we don’t believe resetting your password is necessary.

Currently everything and everyone suggests that some employees were hacked or went rogue, which granted hackers access to the internal tools which grant permission to tweet on behalf of any user. If plaintext passwords were stolen, the attack would still go on, because there was no mass password reset.

The current rumour is that there was something to do with admin privileges which lead to this entire catastrophe. Such an irresponsible way to have passwords hidden in plain text, you don't have to be a tech savvy to know that that's a terrible idea, one which has led to millions lost and bad reputation

[jpnl0006]

May 3, 2018

Twitter has admitted that user passwords were briefly stored in plaintext and may have been exposed to the company's internal tools.

In a blog post, the microblogging site urged users to change their passwords.

"When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log," said Twitter in a statement.

Twitter didn't say how many accounts were affected, but Reuters reports -- citing a source -- that the number of affected users was "substantial" and that passwords were exposed for "several months."

It's unclear exactly why user passwords were stored in plaintext before they were hashed. Twitter said that it stores user passwords with bcrypt, a stronger password hashing algorithm, but a bug meant that passwords were "written to an internal log before completing the hashing process."

The company said it fixed the bug and that an investigation "shows no indication of breach or misuse" by anyone.

A spokesperson for Twitter reiterated that the bug "is related to our internal systems only," but it did not comment further.

A source familiar with the ongoing investigation told ZDNet that the internal log where user plaintext passwords were accidentally logged was found in an obscure place, and it's believed that the likelihood of someone finding it was low.


It is quiet unfortunate for the users of twitter whose accounts were hacked. I sympathize with the, and also those were victims of the fraudulent messages. I think twitter should at this point consider decentralization as a technology to help them function optimally.

"Since this is not a breach and our investigation has shown no signs of misuse, we are not forcing a password reset but are presenting the information for people to make an informed decision about their account," said the spokesperson. "We believe this is the right thing to do."

The company had 330 million users at its fourth-quarter earnings in February.

Twitter is the second company to admit a password-related bug this week.

GitHub on Tuesday said it also exposed some users' plaintext passwords after they were written to an internal logging system.

It's not known if the two incidents are related, and a Twitter spokesperson would not comment in a follow-up email.

https://www.zdnet.com/article/twitter-says-bug-exposed-passwords-in-plaintext/

....


Google is confirmed for storing passwords in plaintext since 2005:  https://www.wired.com/story/google-stored-gsuite-passwords-plaintext/

Facebook also stores passwords in plaintext:  https://techcrunch.com/2019/03/21/facebook-plaintext-passwords/

The sad reality is, many tech and financial giants store passwords in plaintext which leaves accounts vulnerable.

As far as anyone knows, they continue to do so, years after the poor security practice was first made public knowledge: https://www.howtogeek.com/434930/why-are-companies-still-storing-passwords-in-plain-text/

[MCobian]

This proves that storing personal data on the internet is very dangerous, social media like Facebook, Instagram, YouTube and Twitter
are not places securely store to store personal information. I don't care whether this is an insider's work or not, but this incident opened
my mind that there is no system safe. To be sure this hacker has made a lot of money, now the world of technology is increasingly frightening.

[Cryptoababe]

What happened to twitter was highly embarrassing and many are disappointed.. Normally, there should be more security than that. I felt like no more security anywhere especially when it comes to social media platforms.
The password leaking issue will make many users not to feel secure using twitter. But hopefully, with time if such thing didn't happen again, The reputation might be back to normal.

[Sadlife]

The term "show no indication of breach or misuse was clearly used. It could be possible that it was an inside job. I mean when creating a new user in the database it automically hash the password that is if their using mysql. In fact they clear stated that the passwords where hashed and got temporarily got converted to plaintext. So my guess is someone is deliberately doing it.

[Hydrogen]

This topic (Google,Twitter and Facebook security measures and storing of passwords)has little or nothing to do with the discussions about Bitcoin.

The tech giants will surely take some measures to increase the security and prevent such massive hacks to happen again.

This has implications relevent to bitcoin and crypto. It affects every aspect of finance and business on the internet. Storing passwords in clear text on a server represents complete deregulation of security practices.

The industry standard since the 1980s was passwords being stored exclusively in an encrypted format that was one way hashed (salts) to make it extremely difficult to extract the actual password from the hashed string.

Think of recent trends of banks and crypto exchanges being hacked. Recent trends of cell phone SIM swaps being executed through social engineering to spoof logins and wipe peoples bank accounts. Now we have recent trends of social media accounts being hijacked through social engineering.

These massive upticks in cases of theft and fraud could be a result of banks, financial platforms and social media giants deregulating internet security measures.

[matchi2011]

The term "show no indication of breach or misuse was clearly used. It could be possible that it was an inside job. I mean when creating a new user in the database it automically hash the password that is if their using mysql. In fact they clear stated that the passwords where hashed and got temporarily got converted to plaintext. So my guess is someone is deliberately doing it.

With those many high profile accounts that being hacked, the chance that it's a deliberately being shared or an inside job
coming from someone around twitter is very possible, the hackers did a smooth tweets with same message or format to
attract and victimized followers and readers, the patterned of getting in with crypto followers makes them looks real,
that's how easy they've runaway with the money that they runaway.

[Rodeo02]

What happened to twitter was highly embarrassing and many are disappointed.. Normally, there should be more security than that. I felt like no more security anywhere especially when it comes to social media platforms.
The password leaking issue will make many users not to feel secure using twitter. But hopefully, with time if such thing didn't happen again, The reputation might be back to normal.

Yes , because it's a big company and popular personalities is involve with the hacking how come hacker can easily access those account in the same time ,which have different owner and have different password use .
It just proves that we should always be careful and you are not that protected using social media platform  from hacking .it is just proof that the website no matter how popular is and how many users use it still possible of hacking.

[CaVO32]

Now they are claiming that it's an insider job. Someone working on twitter was involved in it. The passwords were to be encrypted even for the twitter employee but the person got a way to store a large amount of twitter passwords over a long period of time and exploited it now for maybe some internal issue or an external influence. It's a real sabotage on twitter and they got twitter in the weak spot this time.

Actually, it’s not more than once when they been "hacked" and twitter does have a history. One of those hack was successful owing to the weak password  chosen by member of  support staff. I guess that story didn’t teach them anything and some of their passwords are easily breakable.

With this incident, do you think these twitter users will gonna stop using this social media app? Or they will still use it after this blunder? From the looks of it, this incident will happen again and again so if you are a twitter user, better safeguard your privacy and just use it for unimportant things. Don't use it for official business and the likes. Treat it like a disposable app.

[Oceat]

Now they are claiming that it's an insider job. Someone working on twitter was involved in it. The passwords were to be encrypted even for the twitter employee but the person got a way to store a large amount of twitter passwords over a long period of time and exploited it now for maybe some internal issue or an external influence. It's a real sabotage on twitter and they got twitter in the weak spot this time.

Actually, it’s not more than once when they been "hacked" and twitter does have a history. One of those hack was successful owing to the weak password  chosen by member of  support staff. I guess that story didn’t teach them anything and some of their passwords are easily breakable.

With this incident, do you think these twitter users will gonna stop using this social media app? Or they will still use it after this blunder? From the looks of it, this incident will happen again and again so if you are a twitter user, better safeguard your privacy and just use it for unimportant things. Don't use it for official business and the likes. Treat it like a disposable app.

It's surprising that twitter didn't take it seriously despite of the hack in the past they never learn, I guess they are up to something why they never take it seriously. That's why we should be very vigilant and never use app that will exposed us in the latter. Use it only for marketing or something but never use it as a means of chat app, use another app, we already have different chatting apps out there but still be very vigilant when using hacking could happen anytime.

[NotATether]

The question that enters my mind here now though is, doesn't Jack Dorsey and others use 2FA? Or have the hackers figured out how to bypass that too? I actually have a super inactive Twitter account but I know if I access it from another device I have to 2FA. Don't even remember setting it up so it must have forced me to at some point.

The hack didn't need to get user passwords to work, the hacker used an internal twitter tool, a web portal or app, to send out tweets to accounts without guessing the password. It changed the email addresses instead. That's part of the reason why password change was temporarily disabled. Our passwords are probably safe, my opinion is that they weren't accessible from the tool. It wouldn't make sense for twitter to allow such a thing for its employees to see anyway.

Now they are claiming that it's an insider job. Someone working on twitter was involved in it. The passwords were to be encrypted even for the twitter employee but the person got a way to store a large amount of twitter passwords over a long period of time and exploited it now for maybe some internal issue or an external influence. It's a real sabotage on twitter and they got twitter in the weak spot this time.

For what we know, it doesn't look like an insider job, this attack was carried out by a lone hacker with the alias Kirk and a few buddies who lived at home. The way it was carried out isn't sophisticated enough to be an insider job. Also twitter mentioned some employees fell for a social engineering attack.

We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.

[michellee]

We can make any assumption about what is going on with twitter, but until twitter announce what happens to them, we still guess without know the truth. Maybe we can wait for the next update from twitter so that we can know the real thing. If there is attacking their employees, twitter will investigate it with their staff to find the problem and fix it.

[crwth]

Because of a bug, a significant amount of money was scammed because of the verified accounts making the Tweet more legitimate. Since it's history, it should be an eye-opener for them as well, making sure that any other API, third-party access, bugs, etc. are checked and monitored.

Anyway, I saw an article that people who got scammed with that can recover their funds

https://cointelegraph.com/news/its-not-too-late-for-some-victims-of-the-twitter-scam-to-get-their-money-back

[buwaytress]

The hack didn't need to get user passwords to work, the hacker used an internal twitter tool, a web portal or app, to send out tweets to accounts without guessing the password. It changed the email addresses instead. That's part of the reason why password change was temporarily disabled. Our passwords are probably safe, my opinion is that they weren't accessible from the tool. It wouldn't make sense for twitter to allow such a thing for its employees to see anyway.

Ah right, I get it. Like one of those many social media management tools like Hootsuite then. API access granted previously, so you only need to hack the platforms that were given API access. If that's the case then it isn't even Twitter's fault (even if it was internal)? You could make it a more strict API access but that's on the end of the one requesting access, right? Just another case of human error / security deficiency.

[DoubleEdgeEX]

Recetn tweet from the Twitter support: "We just hope that our openness and transparency throughout this process and the blablabla - more like - We just hope that our openness and transparency about your passwords and the work we don´t put into."

Seriously, Jack Dorsey is such a tech geek and should know that in these times a company like his could be a major target for hackers, so why he and his team didn´t installed some more serious safety measures is beyond me

[verita1]

It is evident that Twitter has demonstrated vulnerability in its security system, it is impressive that this happens because it is such a popular social network and that influential personalities around the world have their accounts there.
Recall the incident that occurred in August 2019
Twitter CEO and co-founder Jack Dorsey has account hacked

https://www.bbc.com/news/technology-49532244

The sooner Twitter must work to solve the bugs it has and strengthen its entire network.

[Sebas.tian]

I couldn't believe this when I was told about the happenings, these big social medias should be proactive in their doings as they have all been doing with what concerns the masses. They have been fighting hate speech and can't secure users data properly, this is unspeakable; storing such sensitive data on plain text which we'll know hackers can take advantage of is awkward. Hope they are held responsible for this and made to pay for the loses.