A hacker from Mauritania claims he has gained access to a good amount of Twitter login details, which he has published online. He has not apparently obtained the passwords to the accounts, but the plain-text file does include Twitter user IDs and the associated OAuth tokens that are used to connect Twitter accounts to third-party services without having to reveal the user’s password to those services.
The hacker, who goes by the name of Mauritania Attacker, leaked just over 15,000 account details early on Tuesday through the file-sharing service Zippyshare. However, the Indian security site Techworm said it had interviewed him, and he apparently claimed to have access to the “entire database of users on Twitter.”
The plain-text file the hacker published included Twitter user IDs and the associated OAuth tokens that are used to connect Twitter accounts to third-party services without having to reveal the user’s password to those services. This information in itself can help the bad guys gain limited access to the affected Twitter accounts if they run the right script.
At this time, it is unknown if the hacker obtained the user info directly from Twitter’s servers, or by hacking into a third-party service that connects to users’ Twitter accounts. The third-party scenario is most likely, as hacking into Twitter’s authentication server, is “possible but unlikely,” security expert Alan Woodward, of the University of Surrey in the UK, told GigaOM.
Woodward noted the the format of the tokens in the plain-text file looked “plausible,” adding they probably wouldn’t give attackers full access to users’ accounts, but might make it possible to tweet under the user’s name.
While saying users probably don’t need to change their passwords, Woodward did suggest some defensive steps a user could take: “Personally, I do regular housekeeping where I go into the Apps settings of Twitter and delete the third party apps that have access. The reason is that at present Twitter OAuth tokens once issued do not expire. You have to manually revoke them… So, I think best thing one could [do] is to go in and revoke third party’s apps rights and then just relogin when/if you want to reaccess Twitter via that app. This way a new token will be issued.”
A Twitter spokeswoman told GigaOM on Tuesday that the company was “currently looking into the situation.”