Author

Topic: How the latest twitter hack might be explained by past history (Read 585 times)

jr. member
Activity: 65
Merit: 2
The question concerns me is - why did the hackers come up with such a stupid text "send me 1BTC and you will receive 2BTC"? I mean they hacked some high-profile accounts, but it wasn't really profitable scam.
full member
Activity: 2184
Merit: 184
Hire Bitcointalk Camp. Manager @ r7promotions.com
I couldn't believe this when I was told about the happenings, these big social medias should be proactive in their doings as they have all been doing with what concerns the masses. They have been fighting hate speech and can't secure users data properly, this is unspeakable; storing such sensitive data on plain text which we'll know hackers can take advantage of is awkward. Hope they are held responsible for this and made to pay for the loses.
member
Activity: 1358
Merit: 81
It is evident that Twitter has demonstrated vulnerability in its security system, it is impressive that this happens because it is such a popular social network and that influential personalities around the world have their accounts there.
Recall the incident that occurred in August 2019
Twitter CEO and co-founder Jack Dorsey has account hacked

https://www.bbc.com/news/technology-49532244

The sooner Twitter must work to solve the bugs it has and strengthen its entire network.
member
Activity: 112
Merit: 17
Recetn tweet from the Twitter support: "We just hope that our openness and transparency throughout this process and the blablabla - more like - We just hope that our openness and transparency about your passwords and the work we don´t put into."

Seriously, Jack Dorsey is such a tech geek and should know that in these times a company like his could be a major target for hackers, so why he and his team didn´t installed some more serious safety measures is beyond me
legendary
Activity: 2968
Merit: 3684
Join the world-leading crypto sportsbook NOW!
The hack didn't need to get user passwords to work, the hacker used an internal twitter tool, a web portal or app, to send out tweets to accounts without guessing the password. It changed the email addresses instead. That's part of the reason why password change was temporarily disabled. Our passwords are probably safe, my opinion is that they weren't accessible from the tool. It wouldn't make sense for twitter to allow such a thing for its employees to see anyway.

Ah right, I get it. Like one of those many social media management tools like Hootsuite then. API access granted previously, so you only need to hack the platforms that were given API access. If that's the case then it isn't even Twitter's fault (even if it was internal)? You could make it a more strict API access but that's on the end of the one requesting access, right? Just another case of human error / security deficiency.

copper member
Activity: 2940
Merit: 1280
https://linktr.ee/crwthopia
Because of a bug, a significant amount of money was scammed because of the verified accounts making the Tweet more legitimate. Since it's history, it should be an eye-opener for them as well, making sure that any other API, third-party access, bugs, etc. are checked and monitored.

Anyway, I saw an article that people who got scammed with that can recover their funds

https://cointelegraph.com/news/its-not-too-late-for-some-victims-of-the-twitter-scam-to-get-their-money-back
hero member
Activity: 2604
Merit: 816
🐺Spinarium.com🐺 - iGaming casino
We can make any assumption about what is going on with twitter, but until twitter announce what happens to them, we still guess without know the truth. Maybe we can wait for the next update from twitter so that we can know the real thing. If there is attacking their employees, twitter will investigate it with their staff to find the problem and fix it.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
The question that enters my mind here now though is, doesn't Jack Dorsey and others use 2FA? Or have the hackers figured out how to bypass that too? I actually have a super inactive Twitter account but I know if I access it from another device I have to 2FA. Don't even remember setting it up so it must have forced me to at some point.

The hack didn't need to get user passwords to work, the hacker used an internal twitter tool, a web portal or app, to send out tweets to accounts without guessing the password. It changed the email addresses instead. That's part of the reason why password change was temporarily disabled. Our passwords are probably safe, my opinion is that they weren't accessible from the tool. It wouldn't make sense for twitter to allow such a thing for its employees to see anyway.

Now they are claiming that it's an insider job. Someone working on twitter was involved in it. The passwords were to be encrypted even for the twitter employee but the person got a way to store a large amount of twitter passwords over a long period of time and exploited it now for maybe some internal issue or an external influence. It's a real sabotage on twitter and they got twitter in the weak spot this time.

For what we know, it doesn't look like an insider job, this attack was carried out by a lone hacker with the alias Kirk and a few buddies who lived at home. The way it was carried out isn't sophisticated enough to be an insider job. Also twitter mentioned some employees fell for a social engineering attack.

We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.
sr. member
Activity: 2506
Merit: 368
Now they are claiming that it's an insider job. Someone working on twitter was involved in it. The passwords were to be encrypted even for the twitter employee but the person got a way to store a large amount of twitter passwords over a long period of time and exploited it now for maybe some internal issue or an external influence. It's a real sabotage on twitter and they got twitter in the weak spot this time.

Actually, it’s not more than once when they been "hacked" and twitter does have a history. One of those hack was successful owing to the weak password  chosen by member of  support staff. I guess that story didn’t teach them anything and some of their passwords are easily breakable.

With this incident, do you think these twitter users will gonna stop using this social media app? Or they will still use it after this blunder? From the looks of it, this incident will happen again and again so if you are a twitter user, better safeguard your privacy and just use it for unimportant things. Don't use it for official business and the likes. Treat it like a disposable app.
It's surprising that twitter didn't take it seriously despite of the hack in the past they never learn, I guess they are up to something why they never take it seriously. That's why we should be very vigilant and never use app that will exposed us in the latter. Use it only for marketing or something but never use it as a means of chat app, use another app, we already have different chatting apps out there but still be very vigilant when using hacking could happen anytime.
full member
Activity: 1848
Merit: 158
Now they are claiming that it's an insider job. Someone working on twitter was involved in it. The passwords were to be encrypted even for the twitter employee but the person got a way to store a large amount of twitter passwords over a long period of time and exploited it now for maybe some internal issue or an external influence. It's a real sabotage on twitter and they got twitter in the weak spot this time.

Actually, it’s not more than once when they been "hacked" and twitter does have a history. One of those hack was successful owing to the weak password  chosen by member of  support staff. I guess that story didn’t teach them anything and some of their passwords are easily breakable.

With this incident, do you think these twitter users will gonna stop using this social media app? Or they will still use it after this blunder? From the looks of it, this incident will happen again and again so if you are a twitter user, better safeguard your privacy and just use it for unimportant things. Don't use it for official business and the likes. Treat it like a disposable app.
hero member
Activity: 1302
Merit: 577
avatar and signature space for rent !!!
What happened to twitter was highly embarrassing and many are disappointed.. Normally, there should be more security than that. I felt like no more security anywhere especially when it comes to social media platforms.
The password leaking issue will make many users not to feel secure using twitter. But hopefully, with time if such thing didn't happen again, The reputation might be back to normal.

Yes , because it's a big company and popular personalities is involve with the hacking how come hacker can easily access those account in the same time ,which have different owner and have different password use .
It just proves that we should always be careful and you are not that protected using social media platform  from hacking .it is just proof that the website no matter how popular is and how many users use it still possible of hacking.
sr. member
Activity: 1456
Merit: 267
Buy $BGL before it's too late!
The term "show no indication of breach or misuse was clearly used. It could be possible that it was an inside job. I mean when creating a new user in the database it automically hash the password that is if their using mysql. In fact they clear stated that the passwords where hashed and got temporarily got converted to plaintext. So my guess is someone is deliberately doing it.

With those many high profile accounts that being hacked, the chance that it's a deliberately being shared or an inside job
coming from someone around twitter is very possible, the hackers did a smooth tweets with same message or format to
attract and victimized followers and readers, the patterned of getting in with crypto followers makes them looks real,
that's how easy they've runaway with the money that they runaway.
legendary
Activity: 2562
Merit: 1441
This topic (Google,Twitter and Facebook security measures and storing of passwords)has little or nothing to do with the discussions about Bitcoin.

The tech giants will surely take some measures to increase the security and prevent such massive hacks to happen again.



This has implications relevent to bitcoin and crypto. It affects every aspect of finance and business on the internet. Storing passwords in clear text on a server represents complete deregulation of security practices.

The industry standard since the 1980s was passwords being stored exclusively in an encrypted format that was one way hashed (salts) to make it extremely difficult to extract the actual password from the hashed string.

Think of recent trends of banks and crypto exchanges being hacked. Recent trends of cell phone SIM swaps being executed through social engineering to spoof logins and wipe peoples bank accounts. Now we have recent trends of social media accounts being hijacked through social engineering.

These massive upticks in cases of theft and fraud could be a result of banks, financial platforms and social media giants deregulating internet security measures.
sr. member
Activity: 1400
Merit: 269
The term "show no indication of breach or misuse was clearly used. It could be possible that it was an inside job. I mean when creating a new user in the database it automically hash the password that is if their using mysql. In fact they clear stated that the passwords where hashed and got temporarily got converted to plaintext. So my guess is someone is deliberately doing it.
member
Activity: 898
Merit: 19
Do it For Better Humanity (Bitget trader)
What happened to twitter was highly embarrassing and many are disappointed.. Normally, there should be more security than that. I felt like no more security anywhere especially when it comes to social media platforms.
The password leaking issue will make many users not to feel secure using twitter. But hopefully, with time if such thing didn't happen again, The reputation might be back to normal.
full member
Activity: 1190
Merit: 117
This proves that storing personal data on the internet is very dangerous, social media like Facebook, Instagram, YouTube and Twitter
are not places securely store to store personal information. I don't care whether this is an insider's work or not, but this incident opened
my mind that there is no system safe. To be sure this hacker has made a lot of money, now the world of technology is increasingly frightening.
jr. member
Activity: 480
Merit: 4
Quote
May 3, 2018

Twitter has admitted that user passwords were briefly stored in plaintext and may have been exposed to the company's internal tools.

In a blog post, the microblogging site urged users to change their passwords.

"When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log," said Twitter in a statement.

Twitter didn't say how many accounts were affected, but Reuters reports -- citing a source -- that the number of affected users was "substantial" and that passwords were exposed for "several months."

It's unclear exactly why user passwords were stored in plaintext before they were hashed. Twitter said that it stores user passwords with bcrypt, a stronger password hashing algorithm, but a bug meant that passwords were "written to an internal log before completing the hashing process."

The company said it fixed the bug and that an investigation "shows no indication of breach or misuse" by anyone.

A spokesperson for Twitter reiterated that the bug "is related to our internal systems only," but it did not comment further.

A source familiar with the ongoing investigation told ZDNet that the internal log where user plaintext passwords were accidentally logged was found in an obscure place, and it's believed that the likelihood of someone finding it was low.


It is quiet unfortunate for the users of twitter whose accounts were hacked. I sympathize with the, and also those were victims of the fraudulent messages. I think twitter should at this point consider decentralization as a technology to help them function optimally.

"Since this is not a breach and our investigation has shown no signs of misuse, we are not forcing a password reset but are presenting the information for people to make an informed decision about their account," said the spokesperson. "We believe this is the right thing to do."

The company had 330 million users at its fourth-quarter earnings in February.

Twitter is the second company to admit a password-related bug this week.

GitHub on Tuesday said it also exposed some users' plaintext passwords after they were written to an internal logging system.

It's not known if the two incidents are related, and a Twitter spokesperson would not comment in a follow-up email.

https://www.zdnet.com/article/twitter-says-bug-exposed-passwords-in-plaintext/


....


Google is confirmed for storing passwords in plaintext since 2005:  https://www.wired.com/story/google-stored-gsuite-passwords-plaintext/

Facebook also stores passwords in plaintext:  https://techcrunch.com/2019/03/21/facebook-plaintext-passwords/

The sad reality is, many tech and financial giants store passwords in plaintext which leaves accounts vulnerable.

As far as anyone knows, they continue to do so, years after the poor security practice was first made public knowledge: https://www.howtogeek.com/434930/why-are-companies-still-storing-passwords-in-plain-text/




sr. member
Activity: 980
Merit: 260
https://twitter.com/TwitterSupport/status/1283843495354970114

Quote
We have no evidence that attackers accessed passwords. Currently, we don’t believe resetting your password is necessary.

Currently everything and everyone suggests that some employees were hacked or went rogue, which granted hackers access to the internal tools which grant permission to tweet on behalf of any user. If plaintext passwords were stolen, the attack would still go on, because there was no mass password reset.

The current rumour is that there was something to do with admin privileges which lead to this entire catastrophe. Such an irresponsible way to have passwords hidden in plain text, you don't have to be a tech savvy to know that that's a terrible idea, one which has led to millions lost and bad reputation
member
Activity: 83
Merit: 15
I'm shocked this kind of stuff is still happening after so many incidents. I see sites like twitter and facebook put so much improvements and efforts hunting *hate posts* and censoring users on their platforms who don't follow the mainstream points of view, that I ask myself: shouldn't they be putting the same effort at least to preserve their users integrity on their platforms?

I hope all those who were hacked sue twitter for such violation, and of course, that the hackers be caught as well.

It's what happens when "tech giants" are built around popularity instead of solid foundations. These guys made much more money that they ever dreamed of and give no fucks in the world about the people they so easily sell to their real customers.

It's really messed up out there man.
sr. member
Activity: 2366
Merit: 305
Duelbits - $100k Bonus/week
That has been the issue for years now, a lot of companies are storing user passwords in plain texts. That’s the reason why it’s good to use different passwords for each website you’re signing up for, that way you wouldn’t have to worry much. When one website is hacked and your password compromised, you wouldn’t have to worry too much about it because you know for sure that those hackers won’t be able to access other websites you have created an account on.
But the story of Twitter hacked last day is not all about the password guessing. It is through their support and they called it social engineering attack and theymos explained it very well on this post.

Quote
Twitter called it a "social engineering attack", which makes me think that it was something simple like: the attacker called Twitter support, said, "Hey, it's . Wouldn't you know it, I lost my 2FA device and my password. Could you help me?" And then the Twitter support person was like, "Sure, just give me your birthday for verification and I'll have this fixed right away, sorry for the inconvenience!"

So hacker didn't targeted the low profile twitter account of random people. Hacker chooses those high profile accounts to lure people to deposit bitcoin and hoping it will double in just 30 minutes as what the tweet said.
full member
Activity: 1162
Merit: 168
That has been the issue for years now, a lot of companies are storing user passwords in plain texts. That’s the reason why it’s good to use different passwords for each website you’re signing up for, that way you wouldn’t have to worry much. When one website is hacked and your password compromised, you wouldn’t have to worry too much about it because you know for sure that those hackers won’t be able to access other websites you have created an account on.
hero member
Activity: 2184
Merit: 531
Now they are claiming that it's an insider job. Someone working on twitter was involved in it. The passwords were to be encrypted even for the twitter employee but the person got a way to store a large amount of twitter passwords over a long period of time and exploited it now for maybe some internal issue or an external influence. It's a real sabotage on twitter and they got twitter in the weak spot this time.

If it was available to all staff in a log there's probably no way to find out who did it. If he was smart he could write down the passess that he needed on a piece of paper without ever copying or sending them anywhere from his computer.

Whether it was a hack or an inside job it still looks bad for the company but maybe it will be a wakeup call for people who store valuable information with companies like google, facebook, tweeter youtube or instagram. All of them can sell or leak your data and say they were hacked.
legendary
Activity: 3024
Merit: 2148
https://twitter.com/TwitterSupport/status/1283843495354970114

Quote
We have no evidence that attackers accessed passwords. Currently, we don’t believe resetting your password is necessary.

Currently everything and everyone suggests that some employees were hacked or went rogue, which granted hackers access to the internal tools which grant permission to tweet on behalf of any user. If plaintext passwords were stolen, the attack would still go on, because there was no mass password reset.
sr. member
Activity: 1932
Merit: 300
Vave.com - Crypto Casino
Now they are claiming that it's an insider job. Someone working on twitter was involved in it. The passwords were to be encrypted even for the twitter employee but the person got a way to store a large amount of twitter passwords over a long period of time and exploited it now for maybe some internal issue or an external influence. It's a real sabotage on twitter and they got twitter in the weak spot this time.
hero member
Activity: 2044
Merit: 784
Leading Crypto Sports Betting & Casino Platform
What made you think that twitter didn't upgrade their security systems? What made you think that hackers didn't upgrade their hacking knowledge? Why do you think that sueing Twitter will put an end to hacking?
Well, the content presented by this thread made me think giants like twitter aren't putting enough effort to keep their users safe, besides other informations I see around since years ago regard facebook leaking data and so on.
If affected users felt morale damaged they can sue the company of course. It won't put an end to hacking, but it will put some pressure on the company to priorize the platform's security, what I think very reasonable considering the recurrent leaks and the hypothesis they aren't storing users data safely:

The sad reality is, many tech and financial giants store passwords in plaintext which leaves accounts vulnerable.

I understand employees are working from home, that can make the job harder and safety measures more complicated and delicated, but it can't be an excuse. They are supposed to offer better services for being on the spot they are among all social medias platforms. They are also supposed to handle problems faster:

I see sites like twitter and facebook put so much improvements and efforts hunting *hate posts* and censoring users on their platforms who don't follow the mainstream points of view, that I ask myself: shouldn't they be putting the same effort at least to preserve their users integrity on their platforms?
Such is the world we're living in right now, but that doesn't mean they can't do that and improve security at the same time.
True.
newbie
Activity: 9
Merit: 0
Investigations are still underway to confirm how to do such hack happen
it is easy to note that it is not a hacking in the database, but access to sensitive data through admin powers, so it is likely that they were able to hack the computers of some workers who have access to sensitive data.

It is one of the drawbacks of working from home and employees may not have checked the links before clicking on them.
The attack is a scandal in every sense of the word.
legendary
Activity: 3528
Merit: 7005
Top Crypto Casino
I see sites like twitter and facebook put so much improvements and efforts hunting *hate posts* and censoring users on their platforms who don't follow the mainstream points of view, that I ask myself: shouldn't they be putting the same effort at least to preserve their users integrity on their platforms?
That censorship of so-called hate posts (or whatever they're really called) is complete BS IMO, but I understand that Twitter and FB have to cave in to their advertisers' whims.  Such is the world we're living in right now, but that doesn't mean they can't do that and improve security at the same time.  And yeah, it does blow my mind as well that these large companies are still leaving their users' data vulnerable to attacks by hackers. 

So glad I don't use social media sites anymore, and not just because of the fear of my info ending up in the wrong hands. 
sr. member
Activity: 548
Merit: 250
0x3f17f1962B36e491b30A40b2405849e597Ba5FB5
Quote
May 3, 2018

Twitter has admitted that user passwords were briefly stored in plaintext and may have been exposed to the company's internal tools.

In a blog post, the microblogging site urged users to change their passwords.

"When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log," said Twitter in a statement.

Twitter didn't say how many accounts were affected, but Reuters reports -- citing a source -- that the number of affected users was "substantial" and that passwords were exposed for "several months."

It's unclear exactly why user passwords were stored in plaintext before they were hashed. Twitter said that it stores user passwords with bcrypt, a stronger password hashing algorithm, but a bug meant that passwords were "written to an internal log before completing the hashing process."

The company said it fixed the bug and that an investigation "shows no indication of breach or misuse" by anyone.

A spokesperson for Twitter reiterated that the bug "is related to our internal systems only," but it did not comment further.

A source familiar with the ongoing investigation told ZDNet that the internal log where user plaintext passwords were accidentally logged was found in an obscure place, and it's believed that the likelihood of someone finding it was low.

"Since this is not a breach and our investigation has shown no signs of misuse, we are not forcing a password reset but are presenting the information for people to make an informed decision about their account," said the spokesperson. "We believe this is the right thing to do."

The company had 330 million users at its fourth-quarter earnings in February.

Twitter is the second company to admit a password-related bug this week.

GitHub on Tuesday said it also exposed some users' plaintext passwords after they were written to an internal logging system.

It's not known if the two incidents are related, and a Twitter spokesperson would not comment in a follow-up email.

https://www.zdnet.com/article/twitter-says-bug-exposed-passwords-in-plaintext/


....


Google is confirmed for storing passwords in plaintext since 2005:  https://www.wired.com/story/google-stored-gsuite-passwords-plaintext/

Facebook also stores passwords in plaintext:  https://techcrunch.com/2019/03/21/facebook-plaintext-passwords/

The sad reality is, many tech and financial giants store passwords in plaintext which leaves accounts vulnerable.

As far as anyone knows, they continue to do so, years after the poor security practice was first made public knowledge: https://www.howtogeek.com/434930/why-are-companies-still-storing-passwords-in-plain-text/






Code:
  No wonder they will be replaced by security-oriented social media giants, web 3.0 sooner or later.

This isn't surprising at all since they are using centralized server to store up their users' data.
By having it in a centralized server, even a hashed (encrypted) data still vulnerable to malicious attacks when [1] there are bugs [2] before hashing (in plain text) [3] when the server is compromised.
hero member
Activity: 2646
Merit: 686
The question that enters my mind here now though is, doesn't Jack Dorsey and others use 2FA? Or have the hackers figured out how to bypass that too? I actually have a super inactive Twitter account but I know if I access it from another device I have to 2FA. Don't even remember setting it up so it must have forced me to at some point.

@buwaytress normally whenever I login in Twitter it instantly sends me a mail on my registered email id to confirm that it’s me, and I’m surprised that those guys failed to saw that mail, or if someone else manages their accounts then why didn’t that person login, and instantly secure their accounts?. Also since your account has been inactive for quite a while now, I would advise you to reset your password instantly even if you’re not actively using it.

Quote

Login verification is an extra layer of security for your account. Instead of relying on a password only, login verification introduces a second check to help make sure that you, and only you, can access your Twitter account. Only people who have access to both your password and your mobile phone (or a security key) will be able to log in to your account


Sources:

https://help.twitter.com/en/safety-and-security/account-security-tips

https://www.cnet.com/news/lock-down-your-twitter-security-settings-now/
newbie
Activity: 23
Merit: 853


Google is confirmed for storing passwords in plaintext since 2005:  https://www.wired.com/story/google-stored-gsuite-passwords-plaintext/




Frankly, even though I'm using  HW based U2F to authorize myself at all Google services,  you have  frightened me and  I have followed the link, but the story calmed me down . It says only small part of  G Suite accounts is vulnerable.( I'm not a user of it).  Anyway it's  shame for such top company to keep users password (even the small part of it) in a plain text format.
hero member
Activity: 2562
Merit: 577
Am also speechless, can you imagine the number of high profile people whose twitter account has been compromise withing the same time frame! i sincerely don't want to believe that twitter failed to step up on security, if this is not the case, what then is the problem that hackers are gaining access to high profile account, one or two can be overlooked but more than that is really questionable,
i may not be a high profile person but i don't feel secure using twitter after this incidence, they should really do something about their security or whatever loopholes are there.
legendary
Activity: 3080
Merit: 1500
I'm shocked this kind of stuff is still happening after so many incidents. I see sites like twitter and facebook put so much improvements and efforts hunting *hate posts* and censoring users on their platforms who don't follow the mainstream points of view, that I ask myself: shouldn't they be putting the same effort at least to preserve their users integrity on their platforms?

I hope all those who were hacked sue twitter for such violation, and of course, that the hackers be caught as well.

What made you think that twitter didn't upgrade their security systems? What made you think that hackers didn't upgrade their hacking knowledge? Why do you think that sueing Twitter will put an end to hacking?

Twitter employees around the world are working from home right now which is a big security challenge because all employees are using local ISPs. Obviously they are using VPN to connect to the office network, but that is not a fullproof security practice and may expose the network for breaching.

From my past experience in working with a top tier Global IT company, I can tell that such kind of hacking attacks are unprecedented you never know what flaws hackers will find in your system! However, we always look for the efforts they have taken to mitigate the threat after it is first noticed! I believe Twitter has done their best to mitigate the attack.

But one thing I must admit that the approach taken by the hackers to make money is very low IQ approach.
hero member
Activity: 1344
Merit: 540
I think its not that the password are stored in plain text, it could be that the people involved used social engineering attacks like targeting Twitter employees through phishing, and then work they way up to get to the database crack the hash password and unleash in one go. And I am assuming that this is not a one day attack, it is a careful planning from the group of hackers, maybe months to filter out high value accounts before they made their moved.
hero member
Activity: 3164
Merit: 937
This topic (Google,Twitter and Facebook security measures and storing of passwords)has little or nothing to do with the discussions about Bitcoin.You should move it out of the Bitcoin discussion forum.
Anyway,I'm glad that I don't use Twitter and Facebook.I'm done with social media.
I was planning to delete my Google account but Gmail,Youtube,Drive and Google Sheets are so damn convenient. Grin I guess I'll stay with Google. Sad
The tech giants will surely take some measures to increase the security and prevent such massive hacks to happen again.
legendary
Activity: 3248
Merit: 1402
Join the world-leading crypto sportsbook NOW!
It's unbelievable that the passwords were actually stored... I mean, it's not hard to hash them right away, is it? As for what happened in the current hack, from what I've read from official updates by Twitter on the situation is that the hackers got to employees accounts and managed to get access to some verified user accounts through that. Which also presupposes that employees of Twitter have some sort of privileged access to Twitter accounts of people like Musk and Obama, although they clearly shouldn't. Jack seems like a nice guy, but they gotta work on those vulnerabilities harder.
hero member
Activity: 2702
Merit: 672
I don't request loans~
The question that enters my mind here now though is, doesn't Jack Dorsey and others use 2FA? Or have the hackers figured out how to bypass that too? I actually have a super inactive Twitter account but I know if I access it from another device I have to 2FA. Don't even remember setting it up so it must have forced me to at some point.
There were talks about having an insider with relation to the hacks. The situation inside the company must be heavy as hell. There were news about how the hacked accounts even completely changed the mobile numbers and email accounts linked, making retrieving them a lot harder than usual.
I kind of disagree to the statement where they said that they have found out a bug that the system is storing the password in plain text. Having a little knowledge about programming, it was intentional to have a line of code that mask, encrypt, or hash the password of the users in order to secure it in whatever database we are using. Finding a bug that see's the password means that their encryption isn't strong enough to hide the password in plain text or else, it was intentional to store it which decreases the reputation of the software, web development company. Though, it isn't necessary mean that encrypted password is always the solution to prevent frauds, they should also strengthen the encryption just like what hashes in bitcoin looks like. If I am not mistaken BTC uses SHA256 encryption, if this is possible, they might also use it for password, or even MD5 encryption just for the sake of preventing plain text password to show up.
Who knows whether they're stating the real problem or not? Seeing as how a lot of companies have already used the "plain text" bug so much in the past, they probably thought they could use it as well to avoid any problems with regards to publicity and the like. Plus, if the passwords were stored in plaintext, whenever the system crosschecks it, shouldn't it be a miss or something? Or is it that, there was a separate database where the said bug saves the plaintext records of passwords, but the system still hashes them to match to the stored hash in their database?
sr. member
Activity: 644
Merit: 364
In Code We Trust
I kind of disagree to the statement where they said that they have found out a bug that the system is storing the password in plain text. Having a little knowledge about programming, it was intentional to have a line of code that mask, encrypt, or hash the password of the users in order to secure it in whatever database we are using. Finding a bug that see's the password means that their encryption isn't strong enough to hide the password in plain text or else, it was intentional to store it which decreases the reputation of the software, web development company. Though, it isn't necessary mean that encrypted password is always the solution to prevent frauds, they should also strengthen the encryption just like what hashes in bitcoin looks like. If I am not mistaken BTC uses SHA256 encryption, if this is possible, they might also use it for password, or even MD5 encryption just for the sake of preventing plain text password to show up.

Just a little bit of info, this isn't much topic related.

There are some questions such as how do the system could recognize if the password entered by the user is correct so that they could successfully log in?

The passwords are hashed once again, and looking up to the database, the system will just compare if the produced hash is the same as the stored password, but should not compare a direct plain text as password. This way, hacking will be prevented as it is way too impossible to brute force password with more than 10 characters long.
legendary
Activity: 2968
Merit: 3684
Join the world-leading crypto sportsbook NOW!
The question that enters my mind here now though is, doesn't Jack Dorsey and others use 2FA? Or have the hackers figured out how to bypass that too? I actually have a super inactive Twitter account but I know if I access it from another device I have to 2FA. Don't even remember setting it up so it must have forced me to at some point.
legendary
Activity: 2268
Merit: 1379
Fully Regulated Crypto Casino
https://twitter.com/TwitterSupport/status/1283591846464233474


The latest update from twitter would appear to confirm it.
So this move is planned including some of their employees. Twitter should investigate every single of those personnel they had, they are not sure whose the culprit Im not a negative thinker but I dont want to assume that even them could part of this. No one knows, how could a security breached instantly? Top executives of their firm might be considered as part of it.

I hope all those who were hacked sue twitter for such violation, and of course, that the hackers be caught as well.
This will be due process but I do hope they do, with money collected by this hacked this will not be tolerated by authorities and demand a response from Twitter. It might be hard to track identities of those hackers using blockchain but I wish they be caught.
hero member
Activity: 2044
Merit: 784
Leading Crypto Sports Betting & Casino Platform
I'm shocked this kind of stuff is still happening after so many incidents. I see sites like twitter and facebook put so much improvements and efforts hunting *hate posts* and censoring users on their platforms who don't follow the mainstream points of view, that I ask myself: shouldn't they be putting the same effort at least to preserve their users integrity on their platforms?

I hope all those who were hacked sue twitter for such violation, and of course, that the hackers be caught as well.
legendary
Activity: 2562
Merit: 1441
https://twitter.com/TwitterSupport/status/1283591846464233474


The latest update from twitter would appear to confirm it.
legendary
Activity: 2562
Merit: 1441
Quote
May 3, 2018

Twitter has admitted that user passwords were briefly stored in plaintext and may have been exposed to the company's internal tools.

In a blog post, the microblogging site urged users to change their passwords.

"When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log," said Twitter in a statement.

Twitter didn't say how many accounts were affected, but Reuters reports -- citing a source -- that the number of affected users was "substantial" and that passwords were exposed for "several months."

It's unclear exactly why user passwords were stored in plaintext before they were hashed. Twitter said that it stores user passwords with bcrypt, a stronger password hashing algorithm, but a bug meant that passwords were "written to an internal log before completing the hashing process."

The company said it fixed the bug and that an investigation "shows no indication of breach or misuse" by anyone.

A spokesperson for Twitter reiterated that the bug "is related to our internal systems only," but it did not comment further.

A source familiar with the ongoing investigation told ZDNet that the internal log where user plaintext passwords were accidentally logged was found in an obscure place, and it's believed that the likelihood of someone finding it was low.

"Since this is not a breach and our investigation has shown no signs of misuse, we are not forcing a password reset but are presenting the information for people to make an informed decision about their account," said the spokesperson. "We believe this is the right thing to do."

The company had 330 million users at its fourth-quarter earnings in February.

Twitter is the second company to admit a password-related bug this week.

GitHub on Tuesday said it also exposed some users' plaintext passwords after they were written to an internal logging system.

It's not known if the two incidents are related, and a Twitter spokesperson would not comment in a follow-up email.

https://www.zdnet.com/article/twitter-says-bug-exposed-passwords-in-plaintext/


....


Google is confirmed for storing passwords in plaintext since 2005:  https://www.wired.com/story/google-stored-gsuite-passwords-plaintext/

Facebook also stores passwords in plaintext:  https://techcrunch.com/2019/03/21/facebook-plaintext-passwords/

The sad reality is, many tech and financial giants store passwords in plaintext which leaves accounts vulnerable.

As far as anyone knows, they continue to do so, years after the poor security practice was first made public knowledge: https://www.howtogeek.com/434930/why-are-companies-still-storing-passwords-in-plain-text/



Jump to: