13 
Do you have a highly coveted Twitter handle? You should probably change your password. One user, Daniel Dennis Jones, — who formerly went by @blanket — has uncovered a very serious flaw that lets hackers crack your account and put it up for sale.
On Saturday, Twitter customer service notified Jones that his password had been changed. Alarming, because it clearly meant someone was trying to find a way into his account. He tried to log in but couldn’t, but was still logged in on his phone, and saw that all his tweets had been deleted and his follower count had dropped to a big fat goose egg.
Once he was able to log back into his account, his username had been changed to @FuckMyAssHoleLO, and his original handle, @blanket, now belonged to someone else. Jones did a little online digging to find his name with a bunch of other sought-after names on a site called ForumKorner, which is where his and other Twitter handles, some of which have been illegally obtained, are being sold.
BuzzFeed FWD explains how hackers were able to break into his account so easily:
Most sites, including Twitter, flag or disable user accounts, or throw up a CAPTCHA, after a certain number of failed login attempts. But whereas many services, including Gmail, limit login attempts on a per-account basis, Twitter apparently only prevents large numbers of login attempts from the same IP address. In other words, hackers – or crackers, as they would call themselves – can try to log in as many times as they want, so long as the login attempts appear to be coming from different computers.
You can read Daniel’s entire tale on Storify. It’s a good reminder that you should be changing your passwords regularly to protect yourself from losing any ounce of your digital life. [BuzzFeed FWD]
From what I understand from this article (I didn’t read the source material), the password was brute forced. So unless if you plan on changing your password every other day it is not going to make any difference.
Just use a stronger password and I suppose brute force becomes unfeasible.
If brute force isn’t working, you are not using enough.
With a random password generator you can create a password that might take a very long time to crack, but if someone is hell bent on stealing your account, especially if there is money to be gained, there’s practically nothing that you can do about it.
That depends on whether they really want to spend 500 years cracking your password. Also, you would really hope that such activity would be detected before it’s successful. 500,000 unsuccessful logins per hour might be an indicator.
This reminds me of an xkcd that was posted here last week:
http://xkcd.com/936/
I bet this guy was using a dictionary word as his password.
Also, how do the attackers keep brute forcing the account from different IP addresses? I’m thinking botnet.
Same way by which a DOS attack is launched I suppose, by infecting numerous computers with Trojan virus.
Yep, aka a botnet.
It can’t be a botnet else every infected computer would be locked out after a little while. It was probably bruteforced with a dictionary list and a proxy list, with the proxy used changing after so many password attempts.
I’m thinking that once one node of the botnet is blocked out, the software could move on the next. But yes, the proxy list sounds like a better way of doing it.
If that were the case then using proxies would make much more sense.
And @Giz, is this really a security flaw? Is it not just an oversight?
A security flaw usually is an oversight. The only other possibility would be a planned security flaw, implying that the developer introduced the flaw on purpose, i.e. some sort of backdoor.
And Twitter didn’t get him his username back because….?
it was restored back to the way it was now