Brute force attack on Twitter

Wired Threat Level has posted an interview with the hacker who recently broke into several high profile twitter accounts, such as Fox News, and Barack Obama. Since we know how much you all love twitter, we thought you might want to learn more about it. Apparently he used a brute force method to get into a member of the support team. The password was “happiness” which was cracked pretty quickly. This might be a good time to review your own strategies to prevent brute force attacks.

22 thoughts on “Brute force attack on Twitter

  1. blacklisting IPs works too but watch
    out for possible denial of service!

    The best thing is to enforce a minimum
    password strength for all users.
    Problem solved.

  2. happiness as a password. Whoever allowed that on a server they administered should be banned from ever working in the IT industry. That’s blatantly dumb.

  3. Also on another note: 4chan types use stupidity like this and social engineering to break into accounts. It’s not software vulnerabilities by no means.

    I seen one case about a year ago where there where some people from there working as unpaid staff on a anime RPG site, and they where leaking informatin about accounts that where causing frequent defacements. They’re probably still there.

  4. first palin now this, this is awesome no one is safe from hackers. you know if your famous its pretty much inevitable that you will get hacked it seems.

  5. @#7: Maybe under some other ideology. The majority of them have no software engineering skills. They exploit stupidity; under your statement that insinuates the stupid people are in the social majority. Kind of makes sense I guess.

    The most skilled person on 4chan probably runs metasploit or milworm modules. Which apparently fail because they got into myspace and a lot of other places by trivial means- such as weak passwords.

  6. It’s *so easy* to prevent brute-forcing, yet few do — @TJ, who said “it’s not software vulnerability”… yes, yes it is. Three (/four/five) retries, then you’re locked out for an hour. Bam, I’ve solved your problem, where’s my big fat check?

  7. Twtter example:
    “Today as I was walking down I was frustrated about the number of cameras, rfid’s, etc that track my every move….”

    irony-zing.

    I keeps my knifes sharp incase I meet anyone that twitters about updating there blog. =/

  8. Tw[i/a]tter example:
    “Today as I was walking down [address] I was frustrated about the number of cameras, rfid’s, etc that track my every move….”

    irony-zing.

    I keeps my knifes sharp incase I meet anyone that twitters about updating there blog. =/

    (Excuse the double post > tags messed it up and with no edit…)

  9. The best method is what PHPBB uses, imho: if you fail 3 password guesses you have to enter a captcha along with the password. The process would slow down so much that a good password would take days to find.

    You could also, after 10 or 15 bad guesses, disable the login for that account and send an email with an activation link.

    Even a dictionary attack would probably fail to find ‘happiness’ with just 10 tries.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s