Thousands of Twitter passwords allegedly exposed

55,000 Twitter account names and passwords were, it was claimed last night, published on Pastebin on 7 May. The list ran over over five separate pages on the document publishing platform. Twitter confirmed it was looking into the situation and said it was resetting the passwords of affected accounts. Later examination of the list by Twitter revealed that it contained 20,000 duplicates, suspended spam accounts and incorrect login credentials.

It is unclear where the data came from – Mashable says hackers affiliated with Anonymous were involved, but no apparent announcement from the hackers has been made. The first reporting of the leak was on hacker news aggregation site airdemon.net. It doesn't appear that Twitter's systems were compromised.

A random sampling of a number of the accounts by a Hacker News reader found them to typically have a couple of followers and be following thousands of other Twitter users; this is a common footprint of a Twitter spam account. An analysis by an Eset blogger found that even after deduplicating the list, 25,000 entries in the remaining list were email addresses. This leaves around 9000 apparent Twitter spam accounts. Eset compared the accounts with previous leaks and found that the email ones apparently matched a June 2011 LulzSec leak and also found some of the spam accounts posted in an April forum post.

Update: According to the company, affected Twitter users should have already received a notification email that their passwords have been reset. These users are also advised to check which apps have been authorised to access their Twitter account and revoke the access of any unknown programs or services; this can be done by logging into Twitter.com and going to Settings > Apps.

(djwm)