Brute force attack on Twitter

posted Jan 7th 2009 4:14pm by Caleb Kraft
filed under: news, security hacks

Wired Threat Level has posted an interview with the hacker who recently broke into several high profile twitter accounts, such as Fox News, and Barack Obama. Since we know how much you all love twitter, we thought you might want to learn more about it. Apparently he used a brute force method to get into a member of the support team. The password was “happiness” which was cracked pretty quickly. This might be a good time to review your own strategies to prevent brute force attacks.

Comments [22]

tagged: brute forcce, hack, twitter

Reader Comments

that’s a dictionary attack, not quite the same as brute force

Posted at 4:20 pm on Jan 7th, 2009 by zub

blacklisting IPs works too but watch
out for possible denial of service!

The best thing is to enforce a minimum
password strength for all users.
Problem solved.

Posted at 4:25 pm on Jan 7th, 2009 by happypinguin

s/hacker/cracker/

Posted at 4:43 pm on Jan 7th, 2009 by JKB

imo, DenyHosts is a better solution for rate-limiting SSH on Linux and *BSD systems.

Posted at 4:51 pm on Jan 7th, 2009 by ex-parrot

happiness as a password. Whoever allowed that on a server they administered should be banned from ever working in the IT industry. That’s blatantly dumb.

Posted at 4:57 pm on Jan 7th, 2009 by TJHooker

Also on another note: 4chan types use stupidity like this and social engineering to break into accounts. It’s not software vulnerabilities by no means.

I seen one case about a year ago where there where some people from there working as unpaid staff on a anime RPG site, and they where leaking informatin about accounts that where causing frequent defacements. They’re probably still there.

Posted at 5:04 pm on Jan 7th, 2009 by TJHooker

4chan, hackers on steroids

Posted at 5:09 pm on Jan 7th, 2009 by Anonymous

first palin now this, this is awesome no one is safe from hackers. you know if your famous its pretty much inevitable that you will get hacked it seems.

Posted at 6:09 pm on Jan 7th, 2009 by Drew

@#7: Maybe under some other ideology. The majority of them have no software engineering skills. They exploit stupidity; under your statement that insinuates the stupid people are in the social majority. Kind of makes sense I guess.

The most skilled person on 4chan probably runs metasploit or milworm modules. Which apparently fail because they got into myspace and a lot of other places by trivial means- such as weak passwords.

Posted at 6:13 pm on Jan 7th, 2009 by TJHooker

@jkb:

It looks like you forgot the ‘g’ at the end. The comments still seem to be unchanged.

s/hacker/cracker/g

Fixed it for you :)

Posted at 7:58 pm on Jan 7th, 2009 by Shadyman

internet hate machine

Posted at 8:00 pm on Jan 7th, 2009 by the game

“Since we know how much you all love twitter,”

Nice :)
I like that.

Posted at 11:55 pm on Jan 7th, 2009 by Jake D. Hipster

It’s *so easy* to prevent brute-forcing, yet few do — @TJ, who said “it’s not software vulnerability”… yes, yes it is. Three (/four/five) retries, then you’re locked out for an hour. Bam, I’ve solved your problem, where’s my big fat check?

Posted at 9:30 am on Jan 8th, 2009 by Coderer

Twtter example:
“Today as I was walking down I was frustrated about the number of cameras, rfid’s, etc that track my every move….”

irony-zing.

I keeps my knifes sharp incase I meet anyone that twitters about updating there blog. =/

Posted at 12:39 pm on Jan 8th, 2009 by tecNik

Tw[i/a]tter example:
“Today as I was walking down [address] I was frustrated about the number of cameras, rfid’s, etc that track my every move….”

irony-zing.

I keeps my knifes sharp incase I meet anyone that twitters about updating there blog. =/

(Excuse the double post > tags messed it up and with no edit…)

Posted at 12:42 pm on Jan 8th, 2009 by tecNik

@shadyman

I thought for sure no one else would get that sed joke.

sed -e ’s/hacker/cracker/g’

Posted at 1:12 pm on Jan 8th, 2009 by steve

my passwords are all as brute-force proof as possible, i have all my passwords set to zzzzzzzzzzzzzzzzzzzzz

Posted at 2:47 pm on Jan 8th, 2009 by monster

Coderer: Awesome… so if I want to lock someone out of an account all I need to do is make a script to enter a fake password every hour or so.

Posted at 6:39 am on Jan 9th, 2009 by bencoder

The best method is what PHPBB uses, imho: if you fail 3 password guesses you have to enter a captcha along with the password. The process would slow down so much that a good password would take days to find.

You could also, after 10 or 15 bad guesses, disable the login for that account and send an email with an activation link.

Even a dictionary attack would probably fail to find ‘happiness’ with just 10 tries.

Posted at 9:07 am on Jan 9th, 2009 by IceBrain

ahhaha .. i think i need to update my dictionary list .. “happiness” will be top 10 in the que .. lol ..

Posted at 9:17 am on Jan 9th, 2009 by c0smic

did the Twitter Admin change his password to “sadness” after he was hacked? haha

Posted at 7:38 pm on Jan 9th, 2009 by coffee

More entertaining version at
youtube.com/watch?v=AVMW3Dq2KSY

Posted at 3:29 pm on Jan 12th, 2009 by kfcguy

Brute force attack on Twitter

Recent Posts

Reader Comments

Leave a Reply

hacks

resources

rss newsfeeds

Most Commented On (30 days)

Recent Comments