Brute Force Attack On Twitter

[youtube=http://www.youtube.com/watch?v=IKNbggNJMVI]

Wired Threat Level has posted an interview with the hacker who recently broke into several high profile twitter accounts, such as Fox News, and Barack Obama. Since we know how much you all love twitter, we thought you might want to learn more about it. Apparently he used a brute force method to get into a member of the support team. The password was “happiness” which was cracked pretty quickly. This might be a good time to review your own strategies to prevent brute force attacks.

22 thoughts on “Brute Force Attack On Twitter

  1. Also on another note: 4chan types use stupidity like this and social engineering to break into accounts. It’s not software vulnerabilities by no means.

    I seen one case about a year ago where there where some people from there working as unpaid staff on a anime RPG site, and they where leaking informatin about accounts that where causing frequent defacements. They’re probably still there.

  2. @#7: Maybe under some other ideology. The majority of them have no software engineering skills. They exploit stupidity; under your statement that insinuates the stupid people are in the social majority. Kind of makes sense I guess.

    The most skilled person on 4chan probably runs metasploit or milworm modules. Which apparently fail because they got into myspace and a lot of other places by trivial means- such as weak passwords.

  3. It’s *so easy* to prevent brute-forcing, yet few do — @TJ, who said “it’s not software vulnerability”… yes, yes it is. Three (/four/five) retries, then you’re locked out for an hour. Bam, I’ve solved your problem, where’s my big fat check?

  4. Twtter example:
    “Today as I was walking down I was frustrated about the number of cameras, rfid’s, etc that track my every move….”

    irony-zing.

    I keeps my knifes sharp incase I meet anyone that twitters about updating there blog. =/

  5. Tw[i/a]tter example:
    “Today as I was walking down [address] I was frustrated about the number of cameras, rfid’s, etc that track my every move….”

    irony-zing.

    I keeps my knifes sharp incase I meet anyone that twitters about updating there blog. =/

    (Excuse the double post > tags messed it up and with no edit…)

  6. The best method is what PHPBB uses, imho: if you fail 3 password guesses you have to enter a captcha along with the password. The process would slow down so much that a good password would take days to find.

    You could also, after 10 or 15 bad guesses, disable the login for that account and send an email with an activation link.

    Even a dictionary attack would probably fail to find ‘happiness’ with just 10 tries.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.