Skip to main content

    LulzSec hackers post data on 8,000 Twitter accounts, but your passwords are safe

    LulzSec hackers post data on 8,000 Twitter accounts, but your passwords are safe


    Hacker group LulzSec Reborn has released user information on 8,000 Twitter accounts that used the service TweetGif, but the table contains no passwords, only authorization credentials that can be easily revoked.

    Share this story

    After security breaches at LinkedIn,, and others, yet another big name has had account data released — but this time, there's much less to worry about. Hacker group LulzSec Reborn, known for leaking account data from Military Singles in March, has released what's been described as a "trove of information" on about 8,100 Twitter users (described as 10,000 by LulzSec Reborn) who used image sharing service TweetGif. Unlike the other hacks, though, this one doesn't actually include any passwords or password hashes. We found the file to be mostly public information like the names and locations displayed next to Twitter handles. More worrying is a list of token / secret pairs, which are used to authorize third parties like TweetGif to post to an account. However, these codes expire over time, and they can be revoked without any password changes by either the user or Twitter.

    A Twitter spokesman has corroborated this. "I can confirm that no Twitter account passwords were leaked," he told us. "Twitter was not compromised in this instance." We're waiting to hear if the company is taking any steps; for now, users can revoke access manually through their Twitter settings. Ultimately, this is proof that a third-party service was either insecure or a phishing attempt, and it could be a source of worry for users and Twitter alike. Still, in terms of all the hacks that have been going on lately, it's quite mild.

    Update: Twitter has given us the statement below on TweetGif and user data.

    We can confirm that all Twitter account passwords have remained secure, and no breach of our systems has occurred in connection with the events experienced by TweetGif. Regarding how TweetGif was compromised, we can't speak on their behalf.

    Since this application used OAuth, no user passwords were exposed; for more information on why OAuth is our recommend[ed] connection method to grant an application access to your account, please see our help pages on Safety: Keeping Your Account Secure and How to Connect and Revoke Third Party Applications.