55.000 hacked Twitter accounts leaked… or?

Recently, Prabakaran Santhanam reported that there were 55.000 Twitter accounts leaked from a hack.

Update: I checked some accounts, and the e-mail ones seem to originate from the June 2011 leak by Lulzsec.
When looking at the spam-accounts, Google suggested this site as could be the original source for a bunch of them at least… ;P

For updates on this, and other programming/security stuff, follow me on Twitter: @nilssonanders

I took a look at the files, and gathered some statistics!

There are a total of 58.973 lines in total in all of the files (including whitespace).

If we sort out all the duplicate accounts, we end up with 34.062 unique accounts, where a handful are obviously incorrect when looking at the data.

There are two kinds of accounts in the list, ones with a user name (e.g. “Hayleyjsvze”), and ones with an e-mail (e.g. “something@hotmail.com”). On Twitter, you can login with either your user name, or your e-mail, so that could be the reason there are two different kinds.. or?

Of the 34.062 unique accounts, 25.068 accounts seems to be an e-mail address. Those accounts look “real”. They all seem to have “regular” passwords (easier words, numbers). The rest of the accounts, the ones that aren’t based on an e-mail address, all seem to be spam-accounts. They have a few, if any, posts, following many others, but very few followers of their own. And they all have random 8 character passwords..

Now, looking back to the real accounts, here are some statistics from the e-mails used for the accounts:

Total number of accounts: 34.062 Total number of e-mails: 25.068 (where a few are incorrect, or contain typos)
Domain "hotmail.com": 15,777
Domain "gmail.com": 2,193
Total NOT using ".com": 6,046 (but a handful of invalid e-mails in there too)
Total using ".com.br": 5,736

So, almost 95% of the country-specific e-mails are from Brazil (.com.br)! And of the “55.000″ accounts, about 9000 seem to be Twitter-spam accounts..

I think this is probably the result of either a leak of a big Brazilian hacked website, or a Brazil-targetted phishing, combined with 9000 Twitter-spam accounts.

I haven’t verified any of the accounts (of course!) so it IS possible that the e-mail accounts are actually valid for their e-mail, not actually to Twitter…

Now… looking back to the spam accounts… many of the accounts has already been suspended by Twitter, but.. here are some that are currently working:

Notice how they all have some generic profile image, screen name and full name. Also, they all have a big bunch of people they follow, a few followers of their own… and… they all retweeted the @Swagstro account…

Also, looking at their followers:

They follow about the same accounts (at least some random ones), with the top account always being @Cyberopz …

There’s definitely something more to this leak then just a generic hacked website.. weird that they combined spam-accounts and regular ones… We’ll see what else there is to find out about this.

Update:

I also did a quick Pipal run of the e-mail based accounts:

Total entries = 37058
Total unique entries = 21215

Top 10 passwords
123456 = 688 (1.86%)
123456789 = 258 (0.7%)
102030 = 92 (0.25%)
123 = 86 (0.23%)
12345 = 74 (0.2%)
1234 = 67 (0.18%)
242424 = 41 (0.11%)
101010 = 40 (0.11%)
12345678 = 38 (0.1%)
010203 = 35 (0.09%)

Top 10 base words
bruno = 47 (0.13%)
junior = 44 (0.12%)
carlos = 43 (0.12%)
brasil = 38 (0.1%)
sexo = 38 (0.1%)
amor = 36 (0.1%)
daniel = 36 (0.1%)
alex = 36 (0.1%)
rafa = 33 (0.09%)
jesus = 33 (0.09%)

(full statistics available here)

The top base words also really suggest that this leak originated in Brazil.

Update: As I reported yesterday, it seems like this list consists of old hacked accounts from last summer, and some spam-accounts with random passwords.Google+