Twitter says no accounts compromised after OAuth token 'hack'

Summary:The microblogging site said no accounts have been compromised after a hacker claimed to have acquired user details by allegedly breaking into its databases.

Image: Twitter

Twitter has denied claims by a hacker that he downloaded user data, including passwords, from its databases, saying there has been no such breach of its security. 

The hacker, going by the name "Mauritania Attacker," understood to be in the West African country, said he had in his possession "the entire database of users on Twitter," according to Indian site Techworm who spoke to him on Tuesday.

But security researchers were quick to suggest that Twitter was not the victim of an elaborate hack — or any hack for that matter. A third-party app is understood to be at fault, which may have leaked as many as 15,000 account details.

A Twitter spokesperson said, via The Guardian: "We have investigated the situation and can confirm that no Twitter accounts were compromised."

Instead, the OAuth tokens, which he claims can be used to directly log in to user accounts for thousands of users of the microblogging site, were subsequently uploaded to file-sharing site Zippyshare.

These tokens are used to verify apps connecting to the microblogging service. They are not sufficient on their own to log in to Twitter, but could be used to direct further attacks on unsuspecting victims. 

The best practice for users thought to be affected by the data snatch is to revoke and re-establish access to third-party apps, GigaOm wrote on Tuesday.

After a series of high-profile account hijacks this year, from the Associated Press, and our very own sister site CBS News, Twitter implemented two-step authentication to bolster account security,

Topics: Security, Privacy


Zack Whittaker is a writer-editor for ZDNet, and sister sites CNET and CBS News. He is based in the New York newsroom. His PGP key is: EB6CEEA5.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.