Allegations concerning Twitter NSA spying are starting to pick up after the Twitter password leak shocked the world. The “bug” forcing the massive Twitter password change caught many people by surprise because the passwords of around 330 million Twitter users were being stored openly without being encrypted. Tech experts were especially stunned since it seemed like a mistake only a novice would make, not a tech giant. Political activist Kim Dotcom believes something more nefarious is going on and now he’s threatening a Twitter lawsuit.
The Twitter Password Leak Explained
On May 3, 2018, Twitter Support admitted that they “recently found a bug that stored passwords unmasked in an internal log.” Besides calling for everyone to change Twitter passwords, they claimed that there was “no indication of a breach or misuse by anyone.”
A longer official message explained how the Twitter password leak allegedly happened.
“We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard. Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.”
In non-technical terms, the plainly written password itself normally does not get stored on Twitter’s servers. They only store an encrypted version of a password called a hash that looks like a jumbled mess of typed characters to the naked eye. When Twitter users log in, the password you enter at that moment is converted on the fly into a hash, which is then compared with the stored hash in the Twitter password database. If both hashes match, you are granted access.
The reason that companies store passwords this way is that the security method supposedly prevents the owner or employees of a website from seeing the plainly written version of passwords. This layer of security supposedly prevents rogue employees from misusing user data or invading anyone’s privacy. Even if a malicious hacker breaks into a website, they can’t see your plain password, only the stored hash. That means a hacker would need to do a brute force attack on the hash to crack your password, which takes a massive amount of time and computing power depending on the length and complexity of your password.
Twitter Password Hack Really About A NSA Spying Leak Or Just A Coincidence?
The timing of the announcement of the Twitter password hack just happens to coincide with the news that Apple, Facebook, Google, Microsoft, and other tech giants are fighting back against new proposals by the U.S. government to allow NSA spying. The companies were being asked to engineer security and encryption vulnerabilities into future devices and services in order to give backdoor access to law enforcement agencies.
What’s more, in early 2018, Twitter senior network security engineer Clay Haynes was caught on video talking about how Twitter passwords were being made available to law enforcement agencies.
“I can tell you who exactly logged in from where, what username and password, when they changed their password. It’s very, very dangerous. Also, very, very, very creepy. Big Brother-ish,” said Haynes.
If user passwords were being stored as hashes as Twitter officially claims, then how could a Twitter employee like Haynes know anyone’s password? It’s questions like these that led Kim Dotcom to “suggest this wasn’t an error but a deliberate effort to provide your passwords to US Govt agencies.” Kim Dotcom seems to believe that Twitter was hoping to avoid publicly admitting that they were allowing U.S. government spying but for some unknown reason, Twitter was forced to reveal the security vulnerability.
“We can only speculate why Twitter proactively admitted that they stored user passwords in clear text,” Kim Dotcom wrote. “A threat from a former employee? A pending lawsuit? Another imminent NSA leak? We don’t know, yet. What we can all agree on is that this wasn’t an ‘error’ or an honest mistake.”
Based on Kim Dotcom’s belief, Twitter allegedly announced the password “bug” publicly, closed the backdoor access to the NSA and other agencies, and urged all their users to change their passwords. On that basis, Kim Dotcom says he is seeking “a reputable US law firm to bring a class action case against Twitter for deliberately misleading users about password security.” The stated goal of the Twitter lawsuit is to have Twitter’s “management questioned under oath about misleading users by telling them that their passwords were encrypted while deliberately storing them in plain text and probably providing them unlawfully to US Govt agencies.”
There has never been a time in which the US Govt was more distrusted by world leaders than today. Even the closest allies of the US avoid US tech and smart phones because they know that they are deep state spying devices. The US tech sector will struggle as a result. You’ll see.
— Kim Dotcom (@KimDotcom) May 5, 2018