Twitter says no accounts compromised after OAuth token 'hack'

The microblogging site said no accounts have been compromised after a hacker claimed to have acquired user details by allegedly breaking into its databases.
Written by Zack Whittaker, Contributor
Image: Twitter

Twitter has denied claims by a hacker that he downloaded user data, including passwords, from its databases, saying there has been no such breach of its security. 

The hacker, going by the name "Mauritania Attacker," understood to be in the West African country, said he had in his possession "the entire database of users on Twitter," according to Indian site Techworm who spoke to him on Tuesday.

But security researchers were quick to suggest that Twitter was not the victim of an elaborate hack — or any hack for that matter. A third-party app is understood to be at fault, which may have leaked as many as 15,000 account details.

A Twitter spokesperson said, via The Guardian: "We have investigated the situation and can confirm that no Twitter accounts were compromised."

Instead, the OAuth tokens, which he claims can be used to directly log in to user accounts for thousands of users of the microblogging site, were subsequently uploaded to file-sharing site Zippyshare.

These tokens are used to verify apps connecting to the microblogging service. They are not sufficient on their own to log in to Twitter, but could be used to direct further attacks on unsuspecting victims. 

The best practice for users thought to be affected by the data snatch is to revoke and re-establish access to third-party apps, GigaOm wrote on Tuesday.

After a series of high-profile account hijacks this year, from the Associated Press, and our very own sister site CBS News, Twitter implemented two-step authentication to bolster account security,

Editorial standards