Twitter in hot water after accidentally exposing 330 million users' password

DeslotlCL · May 4, 2018

linuxares said:
Oh boy... Notepads are really insecure

Providing that my phone is protected by a pin and also my finger print, i doubt someone could put his hand on them, and even then, i can remember my passwords just fine :teach:

epickid37 said:
LastPass is amazing. It stores and can auto fill all your passwords. It can also generate random passwords. Best of all, it syncs to the cloud, so you can access your passwords on any device.

Sounds nice and all, but idk... still thanks for the heads up.

yodamerlin · May 4, 2018

With GitHub and Twitter falling for the same mistake of logging passwords, it wouldn't surprise me to see more over the next few weeks.

I think that the current state of authentication is not great, and password managers to me feel more like a hack on top of something not good that just adds friction to the far more easy solution of using the same password everywhere.

Browser based web authentication is something I look forward to.

VitaType · May 4, 2018

FAST6191 said:
"We recently identified a bug that stored passwords unmasked in an internal log."

That is not a little bug/oversight. I don't imagine for a moment that every line of their pass hashing and salting code was not gone over 50 times by multiple groups. For this to happen in spite of that... were I in their security teams right now I would almost hope it was malice that put it there.

It just says "internal log", possible that they did something like logging all data that get send by a post request to there server of course then including strings from the password fields.
Neverless it's straight up incompetence and it's hard to believe that such a large software company makes that kind of beginner mistakes.

epickid37 said:
LastPass is amazing. It stores and can auto fill all your passwords. It can also generate random passwords. Best of all, it syncs to the cloud, so you can access your passwords on any device.

What's the obsession some people have with sending there passwords (if non-hashing encrypted or not) to other peoples computers if these computers aren't running exactly the service you use the password for?
It seems to be such a insane idea to me. You store all your passwords at one place on servers on the internet and all of them are encrypted with the same password! Not that much different from just using the same password everywhere... Yes, yes, these password sites should have more knowledge as the weakest link in the selection of websites you use the same password elsewhere, but still.

Hells Malice · May 4, 2018

FAST6191 said:
were I in their security teams right now I would almost hope it was malice that put it there.

I assure you, it was not I.

KingVamp · May 4, 2018

Titanica said:
This is why I don't use social media. Besides, what's the point of social media when you got GBAtemp?

I'm pretty certain GBAtemp had a password leak too.

Seriel · May 4, 2018

KingVamp said:
I'm pretty certain GBAtemp had a password leak too.

No it didn't. The supposed "password leak" was actually "that iso site" having a password leak, and people sharing their password there with GBATemp.

sarkwalvein · May 4, 2018

KingVamp said:
I'm pretty certain GBAtemp had a password leak too.

Did it really?
I remember some time ago there was a leak of password from several sites, including e.g. ngemu.com
Many users had the same password on the temps, and it was brought to the Staff attention due to some hacked accounts, and this was the reason the whole site changed suggested a password change and added 2-step verification.

But the leak was not on the temps side.

KingVamp · May 4, 2018

Seriel said:
No it didn't. The supposed "password leak" was actually "that iso site" having a password leak, and people sharing their password there with GBATemp.

Forgot about that. I think I changed my password anyway, at the time.

Asia81 · May 4, 2018

DarkFlare69 said:
Fortunately I learned my lesson before and never use the same password on more than one site. My Twitter password is 24 random characters

Same, something like that

DarkFlare69 · May 4, 2018

Asia81 said:
Same, something like that

Yeah, pretty much

VitaType · May 4, 2018

Titanica said:
[...] I don't use social media. Besides, what's the point of social media when you got GBAtemp?

Lets take a look: blogs (including blogrolls), the ability to follow people and have follower (even called that way), a personal short message stream for every single user on there profile page, status messages, the ability to add personal details to your profile such as birthday, country you life in, gender, occupation, a short personal text, ... and a PM system that even allows multiple users at once. At least there is nothing comparable to facebook groups (wonder what this "watch"-links above all this interest categories called forums make *click* Oh... nevermind)
If you don't like social media I fear I have really bad news for you: This software here is more of a social media software based on a forum software then just a forum software.

I agree general purpose social media such as facebook isn't great

MikaDubbz · May 4, 2018

I'm surprised someone didn't swoop in, find Trump's account and just troll everyone. That would be classic.

Viri · May 4, 2018

MikaDubbz said:
I'm surprised someone didn't swoop in, find Trump's account and just troll everyone. That would be classic.

I would honestly be too scared to. I'm sure doing something like that would put me on some sort of list. I'm pretty sure it's not illegal(unsure), but, I don't think I'd wanna piss off the US gov like that.

Arras · May 4, 2018

Viri said:
I would honestly be too scared to. I'm sure doing something like that would put me on some sort of list. I'm pretty sure it's not illegal(unsure), but, I don't think I'd wanna piss off the US gov like that.

If his twitter counts as an official communication channel (and it probably does at this point), you'd probably get arrested real fast if you did that.

jt_1258 · May 4, 2018

Fuck...well, I guess that's how some prick in Middleburg Hights Ohio got into my school's gaming club's twitter account yesterday

the_randomizer · May 4, 2018

Gee, someone really screwed the pooch over at IT, sucks for them as they're gonna get fired.

sarkwalvein · May 4, 2018

MikaDubbz said:
I'm surprised someone didn't swoop in, find Trump's account and just troll everyone. That would be classic.

That would be golden, really. Specially if the troll hacker starts mentioning topics and people that makes no sense for the president to mention... Oh wait, was the account hacked already?

DarthDub · May 4, 2018

MikaDubbz said:
I'm surprised someone didn't swoop in, find Trump's account and just troll everyone. That would be classic.

You mean he doesn't already troll people?

kuwanger · May 4, 2018

epickid37 said:
LastPass is amazing. It stores and can auto fill all your passwords. It can also generate random passwords. Best of all, it syncs to the cloud, so you can access your passwords on any device.

Sounds great and all until (1) some website figures a way to spoof appearing to be a bunch of others and harvests your usernames/passwords or (2) there's some Twitter-like accident where your passwords or their hashes end up being in some log somewhere that's hacked. Keepass looks better because (1) it's open source so you can verify the source (but you really have to do that and verify it to be safe) and (2) it's all local and only mirrored/used at your discretion. Personally, I don't use Keepass because it sounds like a database and database corruption can mean losing many passwords. It's the right idea, though, and reasonably safe if you regularly backup the database.

PS - IIRC gbatemp did have some issue where they were getting suspicious logins or something, so they encouraged people to change their password proactively. There's a big difference between a website having suspicious logins, being hacked and leaking password hashes, and leaking actual passwords which may or may not have been hacked.

MarkDarkness · May 4, 2018

Nowadays if people really changed their password every time a breach like this is announced, they'd need a password book to carry around, which defeats the purpose.

Nowadays it's either use a password manager/generator or not caring.

GBAtemp's scalie trash

Bok bok.

Well-Known Member

Are you a bully?

Haaah-hahahaha!

Doing her best

There's hope for a Xenosaga port.

Haaah-hahahaha!

Yuri Lover ~

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Well-Known Member

Ella

The Temp's official fox whisperer

There's hope for a Xenosaga port.

Amateur Hacker

Well-Known Member

Nocturnal

Similar threads

Popular threads in this forum