Two of my favorite Twitter bots (icetsvu and tshirtsbot) got hacked on Sunday and the attackers immediately got to posting a bunch of painfully unfunny racist garbage that at this point I still haven’t been able to get removed because – defcon weekend and it’s still only like 3am on the west coast… Needless to say, Twitter support is probably going to have a busy Monday. (update: finally got icetsvu cleaned up around 4am)
To the people saying “use a better password”, you’re missing the point… While that password was not great, it is not the password strength that was the problem. That password was made public in a data breach when some other site which I have no control over got hacked. My cardinal sin here was re-using it (I know, I know). This guy probably just downloaded a torrent of the breached passwords and stuffed a bunch until one worked.
So really, a “better password” = literally anything other than what I was using.
This is really just to say that, if I’m guilty of anything here it is sheer laziness. The worst part is, I even knew the password had been in a breach because I get notifications from haveibeenpwned.com but I hadn’t gotten around to rotating passwords on all of my 30 something bots…
I screwed up and I’m sorry to anyone who was subjected to the garbage they were posting to the accounts.
Anyways, the main point of why I’m writing this is so that you can learn from my mistake:
- Do not re-use passwords! Use a password manager to generate unique passwords for everything (I like Keepass and 1password)
- A “strong password” does not mean alphabet soup and lëët high ascii, this has been shown to be a misconception. A strong password should be very long and can be something memorable (spaces are special characters). Length works better than complexity against brute force attacks.
- Use 2FA — Authy helps makes this a little less painful.
- Subscribe all of your emails to haveibeenpwned.com alerts and most importantly, rotate your passwords immediately after they’re breached! Do not wait one day, that day turns to weeks, months, then you’re writing a blog post about how you got hacked 🙂