55.000 hacked Twitter accounts leaked… or?
Recently, Prabakaran Santhanam reported that there were 55.000 Twitter accounts leaked from a hack.
Update: I checked some accounts, and the e-mail ones seem to originate from the June 2011 leak by Lulzsec.
When looking at the spam-accounts, Google suggested this site as could be the original source for a bunch of them at least… ;P
For updates on this, and other programming/security stuff, follow me on Twitter: @nilssonanders
I took a look at the files, and gathered some statistics!
There are a total of 58.973 lines in total in all of the files (including whitespace).
If we sort out all the duplicate accounts, we end up with 34.062 unique accounts, where a handful are obviously incorrect when looking at the data.
There are two kinds of accounts in the list, ones with a user name (e.g. ”Hayleyjsvze”), and ones with an e-mail (e.g. ”[email protected]”). On Twitter, you can login with either your user name, or your e-mail, so that could be the reason there are two different kinds.. or?
Of the 34.062 unique accounts, 25.068 accounts seems to be an e-mail address. Those accounts look ”real”. They all seem to have ”regular” passwords (easier words, numbers). The rest of the accounts, the ones that aren’t based on an e-mail address, all seem to be spam-accounts. They have a few, if any, posts, following many others, but very few followers of their own. And they all have random 8 character passwords..
Now, looking back to the real accounts, here are some statistics from the e-mails used for the accounts:
Total number of accounts: 34.062 Total number of e-mails: 25.068 (where a few are incorrect, or contain typos) Domain "hotmail.com": 15,777 Domain "gmail.com": 2,193 Total NOT using ".com": 6,046 (but a handful of invalid e-mails in there too) Total using ".com.br": 5,736
So, almost 95% of the country-specific e-mails are from Brazil (.com.br)! And of the ”55.000” accounts, about 9000 seem to be Twitter-spam accounts..
I think this is probably the result of either a leak of a big Brazilian hacked website, or a Brazil-targetted phishing, combined with 9000 Twitter-spam accounts.
I haven’t verified any of the accounts (of course!) so it IS possible that the e-mail accounts are actually valid for their e-mail, not actually to Twitter…
Now… looking back to the spam accounts… many of the accounts has already been suspended by Twitter, but.. here are some that are currently working:
Notice how they all have some generic profile image, screen name and full name. Also, they all have a big bunch of people they follow, a few followers of their own… and… they all retweeted the @Swagstro account…
Also, looking at their followers:
They follow about the same accounts (at least some random ones), with the top account always being @Cyberopz …
There’s definitely something more to this leak then just a generic hacked website.. weird that they combined spam-accounts and regular ones… We’ll see what else there is to find out about this.
I also did a quick Pipal run of the e-mail based accounts:
Total entries = 37058 Total unique entries = 21215 Top 10 passwords 123456 = 688 (1.86%) 123456789 = 258 (0.7%) 102030 = 92 (0.25%) 123 = 86 (0.23%) 12345 = 74 (0.2%) 1234 = 67 (0.18%) 242424 = 41 (0.11%) 101010 = 40 (0.11%) 12345678 = 38 (0.1%) 010203 = 35 (0.09%) Top 10 base words bruno = 47 (0.13%) junior = 44 (0.12%) carlos = 43 (0.12%) brasil = 38 (0.1%) sexo = 38 (0.1%) amor = 36 (0.1%) daniel = 36 (0.1%) alex = 36 (0.1%) rafa = 33 (0.09%) jesus = 33 (0.09%)
The top base words also really suggest that this leak originated in Brazil.
Update: As I reported yesterday, it seems like this list consists of old hacked accounts from last summer, and some spam-accounts with random passwords.