Was Twitter Hacker Outfoxed By A Honeypot?

The reports this week that the hacker group Anonymous somehow managed to extract nearly 60,000 user names and passwords from Twitter and subsequently post them online are raising more questions than there are answers available.

Clearly, someone or some group got a list of names and passwords that are purported to be from Twitter. This list of names appeared on Pastebin on Tuesday, put there by an anonymous user.

But when you look at those alleged user names and passwords, the contents of the list itself raise questions, regardless of whether the group Anonymous obtained them or whether it was someone else just preferring to remain anonymous.

Nothing adds up

When you look at the lists, you’ll notice a couple of important characteristics, such as that virtually none of the passwords match the 25 most popular passwords of 2011.

Of course, a few here and there match the top 25, but only a few. If this had been a real list of users and passwords, the expectation would be for a very high percentage. Instead, nearly all of them qualify as strong, hard (or impossible) to remember passwords—something highly unlikely.

The next thing you’ll notice on the list is that nearly all of the email addresses are from free services such as Hotmail or Gmail. Only a tiny percentage appears to be real email addresses. If this were a list of real Twitter users, you’d expect a higher ratio of addresses from other types of Internet providers and companies.

So even without Twitter’s comment that the list is bogus, it’s possible to tell from a close examination of the list that the chances of it being real are vanishingly small. But add that to the fact that apparently 20,000 of the entries on the list are duplicates and most of the rest are users who have been bounced from Twitter, and you have to wonder exactly where this list came from.

Anonymous involvement?

There is speculation that Anonymous is retaliating against Twitter for bouncing spammers. But I don’t think this is the case. For one thing, the folks who are associated with Anonymous aren’t dumb. They can look at a list like this and see that it’s clearly fake.

This raises the question of whether the hacker group Anonymous was even involved at all. I suspect it wasn’t, if only because the group wouldn’t have made a mistake this basic. Instead, I think that the fact that the person who posted the list is anonymous in the lower case sense shows they just don’t want anyone to know who they are.

So if the breach wasn’t made by Anonymous, who did it? Right now, nobody knows, or if they know, they’re not saying. My guess is that it was a wannabe hacker just trying to establish street cred, not someone who is actually part of the Anonymous group.

However, the list clearly is associated with Twitter in some way, if only because the company has said that some of the names are accounts that have been suspended for spamming. This would indicate that Twitter is involved in producing the list, unless some hacker or group somewhere—perhaps Anonymous, perhaps not—is keeping track of all of the phony IDs people used to send spam, which seems unlikely.

What one security expert who insists on remaining anonymous (there’s that word again) tells me is that this may in fact be a sting put in place by Twitter to attract people who are trying to break in to the system and decoy them off into a form of Neverland that the industry calls a “honey pot”. The idea behind a honey pot is to create a place on a Website that seems real enough to hackers that they think they’ve broken into the real thing. There is just enough seemingly real information in the phony honey pot to convince whoever broke in that this is the real site.

Taking the bait

Once the Bad Guys are convinced the site is real, they go about downloading what on first look appears to be real information. Meanwhile, the activity is being monitored so security personnel can figure out who is trying to hack their way into the system. This is very likely what happened here. Twitter compiled a list of seemingly real accounts and left it where hackers could find it. They used all of those blocked spammer addresses as the bait. Whoever broke in took the bait.

We may never know for sure who posted that list of fake Twitter accounts, but it’s pretty clear that they never got near Twitter’s real user list, if only because it has so few names. Twitter users number in the tens of millions, and the nearly 60,000 names that showed up in the lists aren’t anything like the population of Twitter.

The bottom line it seems is that Twitter created a honey pot and a hacker got sucked into it. But it wasn’t Anonymous, and it wasn’t real data. The only plausible reason why Twitter isn’t saying more is most likely because the company would rather not talk about its honey pot. But this reasoning assumes that Twitter is telling the world something that approximates the truth.

How well do you know Internet security? Try our quiz and find out!