Twitter users need to be on the lookout for third-party application connections to their accounts, and should disengage and reengage all of them to skirt around hacking attempts.
In fact, that’s advice straight from the hacker who just leaked 15,167 Twitter credentials on Tuesday. The hacker, Mauritania, promised Techworm that he planned on stealing the “entire database of Twitter users [credentials]” and “no [Twitter] account is safe”. Depending on how he “feels,” he may or may not release the data he acquires, however.
While the information stolen thus far doesn’t include any hashed or unhashed passwords, it does include Twitter IDs, pictures, and OAuth tokens. OAuth tokens are what allow you to have access to Twitter without having to log in with a password each and every time. This is primarily used for third-party application login. So while having an OAuth token is not quite as good as having a password, it can technically grant access to a Twitter account.
Twitter has not come out with an official statement nor report on the issue, but the hacker himself says that there is an easy solution. Simply revoke all third-party access to your Twitter account, then reengage all of it. This will invalidate the OAuth tokens being used, and will render any data he stole useless until a second hacking attempt is made.
However, experts believe that Mauritania hacked into a third-party application that used OAuth tokens instead of Twitter itself, and that Twitter suffered no breach.
Mauritania isn’t the first person to expose the problem with OAuth tokens, which all work exactly the same on Facebook, Instagram, and Twitter. OAuth tokens don’t expire, and thus can be used to log-in indefinitely until they are manually reset by disconnecting and reconnecting a third-party application.
Skype, Dropbox, and Facebook have all reported that they have fixed OAuth vulnerabilities on their websites since Mauritania spoke with Techworm, but nothing has been heard from Twitter as of today.
So remember: simply revoke access to third-party applications and reconnect your account to said applications using the Twitter settings page while Twitter addresses the issue on its end.