LulzSec Reborn, the next version of disbanded hacker group LulzSec, leaked around 10,000 Twitter usernames and passwords of members who used TweetGif, an animated Gif-sharing application.
The file contained an unusually detailed trove of information on each member: Usernames, real names, locations, bios, avatars, OAuth tokens used to authenticate TweetGif to pull Twitter data, and even their last tweet. The hackers’ motivations are unclear at this point, but an announcement posted on Pastebin linked to a destination for people to download the .SQL file.
TweetGif lets users post and share animated Gif cliparts, but users have to log in through Twitter. It appears to be a relatively small application with less than 75,000 visitors globally, according to its Flag Counter stats, and only 690 followers of its Twitter account @TweetGif.
“We can confirm that all Twitter account passwords have remained secure, and no breach of our systems has occurred in connection with the events experienced by TweetGif,” Twitter officials said. “Regarding how TweetGif was compromised, we can’t speak on their behalf. Since this application used OAuth, no user passwords were exposed; for more information on why OAuth is our recommend connection method to grant an application access to your account, please see our help pages on Safety: Keeping Your Account Secure and How to Connect and Revoke Third Party Applications. ”
Not all third-party Twitter applications use best practices to secure user data. An Imperva report said 75 percent of Web applications may be vulnerable to remote file inclusion attacks because they include insecure tools that allow users to upload user-generated content, such as images and videos.
In March, LulzSec Reborn introduced itself by claiming to be a resurrected version of the infamous LulzSec hacker coalition. The original LulzSec ceased operations almost a year ago after spending almost six weeks attacking companies, governments, and law enforcement agencies. In March, the FBI arrested core members using intelligence gained by interrogating Sabu, the group’s leader.
However many security researchers, such as F-Secure’s Sean Sullivan and Naked Security’s Graham Cluley, doubt original LulzSec members are part of the “new” LulzSec. LulzSec Reborn has been pretty quiet since it launched, claiming only one major attack so far on Militarysingles.com, a dating site.