Twitter accounts getting hacked: who's fault? Easy passwords, or twitter?

[cpvr]

Well, I was checking out my feed on Twitter, and I came across this post by Buzz feed http://www.buzzfeed.com/jwherrman/security-flaw-lets-hackers-steal-twitter-accounts

On Saturday, multimedia producer and Twitter user Daniel Dennis Jones — @blanket, at the time — received a notification that his Twitter password had been reset. This alone would have been cause for concern; at the very least, it would mean that someone had tried and failed to access his account. He quickly found out that the problem was much worse:

Daniel Dennis Jones​

@originalblanket​

Follow​

Tried to login and failed. Was still logged in on my phone though, and was panicked to see my tweet/follow counts at 0.

• Reply​
• Retweet​
• Favorite​

(You can find a first-hand Storify of Jones's experience here. It's long but worth reading.)
He was eventually able to log back into the account, but found that his username had been changed to @****MyAssHoleLO (I can only assume the last "L" got truncated), and that @blanket was now operated by someone else. His account, in other words, had clearly been hacked.

It also went on and said the following:

In addition, his username had been put up for sale. All apparently due to an incredibly obvious Twitter security flaw — one that the company has so far treated as a standard support issue.
Jones found his username listed among other single-word names on a site called ForumKorner, a community where users can buy and sell usernames for online games, a common practice that's not always sanctioned by game companies. It's also, apparently, at least an occasional marketplace for illegally obtained Twitter accounts:

4:54:30 Jones: what makes a name easy to jack? a vulnerable password?
4:55:15 Moon: yes
4:55:47 Jones: do you rely on lists of other passwords, like the linkedin hack? or do you randomize passwords? how does the cracker work?
4:56:17 Moon: i have several custom pw lists that i've made my self​

The hacker described an exceedingly basic technique: he used a program that repeatedly attempts to log in with common passwords. Most sites, including Twitter, flag or disable user accounts, or throw up a CAPTCHA, after a certain number of failed login attempts. But whereas many services, including Gmail, limit login attempts on a per-account basis, Twitter apparently only prevents large numbers of login attempts from the same IP address.
In other words, hackers — or crackers, as they would call themselves — can try to log in as many times as they want, so long as the login attempts appear to be coming from different computers.

So basically, the moral of this story is to use hard and long passwords, and not something that could be easily traced back to a user. That's why its a good idea to practice good internet safety. And when your account receives an update that you requested a lost password, change your email account password and everything else. That way, they don't bully you and take your ****.

Really though, people running huge Twitter accounts should know about internet safety, and if you talk, make sure you don't include things that could give people hints about your passwords.

/end rant

@Brandon @Dan Hutter @Carlos @iFroggy

 

[Brandon]

From my experience when accounts get "hacked" on Facebook or twitter it's because the user was phished and clicked a link thinking it was something else.

 

[Dan Hutter]

It's so freakin' easy to use random unique passwords nowadays. I don't understand why anyone would risk their accounts for laziness. I couldn't tell you my password for anything.

 

[Cerberus]

It's so freakin' easy to use random unique passwords nowadays. I don't understand why anyone would risk their accounts for laziness. I couldn't tell you my password for anything.

Sadly, in this day and age passwords don't mean much.. 9 out of 10 times the hacker does it without using the password, meaning not brute force like they are talking.. Brute forcing is not really hacking in my opinion .. Hotmail, gmail, yahoo are all easy to steal if you know enough without knowing the password.. Weak security questions are worse than weak passwords..

 

[Carlos]

From my experience when accounts get "hacked" on Facebook or twitter it's because the user was phished and clicked a link thinking it was something else.

Indeed.

 

[fattony69]

1password or this works

 

[roo]

I got my Twitter account "hacked" once and it happened because I used my login info on a website that promised more Followers. Well I indeed obtained some new Followers but later I found out my Twitter account had been used to post random spam and there was lots of it. Fortunately it stopped after I changed my password. So, be careful with your login info.

 

[cpvr]

1password or this works

That's a really good tactic as well. I'm glad I use a mixture of symbols, lower case letters and numbers.

 

[fattony69]

That's a really good tactic as well. I'm glad I use a mixture of symbols, lower case letters and numbers.

I use 1password so I can remember them.