13 Jun 2012
LulzSec Reborn claimed a recent leak of 10,000 Tweetgif tokens into the wild, practically enabling anyone who used the leaked OAuth tokens to post Twitter messages on behalf of the compromised user.
Names, locations, bios, links to their avatars, and the time of the user’s last tweet accompanied the leaked TweetGif OAuth tokens, further proving that the breach was real. An .SQL file was used to spread the hacked data and the LulzSec spinoff group claimed ownership of the endeavor by posting the news on Pastebin.
Although no actual Twitter passwords were leaked, cyber crooks can use the OAuth tokens for nefarious purposes. With a user base of 75,000 global visitors, Tweetgif isn’t considered a major league player in the social media apps list, but it does prove that some social networking applications need tighter security policies.
"We can confirm that all Twitter account passwords have remained secure, and no breach of our systems has occurred in connection with the events experienced by TweetGif," a Twitter spokesman told SecurityNewsDaily in an email. "Regarding how TweetGif was compromised, we can't speak on their behalf. Since this application used OAuth, no user passwords were exposed."
Affected users are advised to check their “Twitter Settings” and disable the app’s access to Twitter, eliminating the need to change passwords.