LulzSec Reborn, the so-called redux of disbanded hacker group LulzSec that emerged in March, leaked around 10,000 Twitter usernames and passwords of members on June 12, reports Mashable. They used the third-party application TweetGif to hack which is a tool allowing members to share animated Gif files.
For those who do not know, TweetGif is a service that allows registered users to post animated Gifs on their Twitter feed. Interestingly, they have to provide their Twitter login information for the service to work, not unlike many other third party social network applications that have faced security issues. Talking about members, the service itself is smaller than others with less than 75,000 visitors globally and fewer than 700 followers on the company's Twitter account.
Reports have claimed that the leaked data contain a wealth of user information, far more than a typical password hack. An SQL file was uploaded to Pastebin, by the hacker group which contains usernames, passwords, real names, bios, locations, avatars and security token used by the service for authentication with Twitter and also the user's most recent Tweet.
This group also last month leaked account information from 171,000 members of the military via millitarysingles.com, and till now, it has not given a reason for its latest hack, however they have taken the responsibility for the same.
So far though, TweetGif has not commented on the breach.
On the other hand, this breach certainly highlights that third-party Twitter apps do not always use best practices when it comes to securing user data.
Imperva, a computer security company, released a survey recently which suggested that 75 percent of web applications may be vulnerable to remote file inclusion (SQL injection) attacks because they include insecure tools which let users manually upload user-generated content like photos or videos.
While LulzSec is reportedly considered to be a subset of Anonymous, LulzSec Reborn appears to be a subset of LulzSec and has emerged in recent weeks, after carrying out an attack on MilitarySingles.com website. Some experts have cast doubt on whether or not the new LulzSec group contains any members of the original group.
Past records unveil that LulzSec targeted a wide variety of organizations, either for ideological reasons or just "for the lulz." In other words, for the sake of amusement and thrill of hacking.
Last year, the hacker group, LulzSec carried out 50 consecutive days of attacks on websites and networks around the world, before going quiet. Their targets included companies like Sony, governments and such law enforcement agencies as the FBI.
Since then, five alleged members of the group have been arrested thanks to one of the main Anonymous hackers, known as Sabu, turning informant for the FBI.
The group claimed to have "retired" in late June of last year, although a LulzSec-organized hack against the Sun newspaper in the UK occurred a month later.