That is not to say that nothing happened. The hacker posted details of 15,000 accounts to the Zippyshare file-sharing service, minus the passwords. The likelihood is that the attacker doesn’t have the actual passwords.
The details he posted, in plain text, included user IDs and OAuth tokens. The latter are used by third-party apps that have been given user authority to access the user’s Twitter account; but are not on their own sufficient for someone else to get full access to the Twitter account proper. This would appear to be the hacker’s breach: not Twitter, but a third-party app.
Indeed, Mashable reports, “A source close to the matter also told Mashable the issue involved a specific third-party app which has already been suspended by Twitter.” It is therefore not necessarily time for all Twitter users to panic and instantly change their passwords – although they may wish to visit their settings page and revoke any old or no longer used third-party app access permissions.
There have been some suggestions that the app in question is Hootsuite. The Next Web contacted Hootsuite for clarification. “HootSuite itself has not been compromised or hacked,” said the company. “However, we are seeing attempts (some successful) to login to HootSuite using user IDs and passwords acquired from compromised social networks.” Hootsuite has now tightened its login process, using social verification and IP address logging, to prevent any further abuses.
The Guardian explains, “The hacker claims to lead a hacking group called AnonGhost and to be defending the dignity of Muslims through his hack. The group is reckoned to have been behind the hacks of more than 10,000 sites in the past seven months, but none is as high-profile as Twitter.”