By rssfeeds-admin 
The panel exposed worker servers, root SSH credentials, live attack controls, and result files, turning the attacker’s own operation into an open target.
Exposed Control Panel
The panel, titled “Twitter Checker Master Panel – FULL FIX v2.3,” ran on an unauthenticated Flask application at 144.76.57.92:5000.
Its public API exposed functions to list servers, start and stop checks, upload combo lists, download results, and push new settings, which means anyone who reached the panel could have monitored or controlled the botnet.
During a 12-minute observation window on April 10, 2026, the operation reportedly tested 722,763 credentials and compromised 18 additional Twitter/X accounts in real time.
Lifetime statistics showed that more than 4.8 million accounts were tested and 138 confirmed compromises, with the operation failing most often when two-factor authentication was enabled.
Worker Fleet and Attribution
The worker fleet reportedly consisted of 18 servers in a single /24 range, with each machine managed through root SSH credentials exposed in plaintext through the panel.
The panel and worker naming, along with the Turkish-language interface, point to a Turkish-speaking operator or team using infrastructure in Ankara, Turkey.
The infrastructure also showed signs of weak operational security beyond the botnet itself. The C2 server allegedly exposed additional administrative services, including RDP, SMB, and WinRM.
At the same time, the IPs remained undetected by major threat intelligence services at the time of publication, according to the report.
The exposed password pattern across the workers suggests the credentials were generated using the same template rather than chosen manually.
That kind of consistency can make an infrastructure easier to manage. However, it also creates a clear fingerprint for defenders and researchers tracking the operation.
Why It Matters
Credential stuffing remains effective because many users still reuse passwords across services, and attackers only need a small success rate to make the campaign worthwhile.
Industry guidance notes that automated login attempts can be repeated at scale, and the most effective defenses are strong password hygiene, rate limiting, and multi-factor authentication.
According to Breakglass research, the most important detail is the 2FA signal. The report says the botnet could not bypass accounts protected by two-factor authentication, meaning the exposed campaign succeeded only against users with password-only protection.
For defenders, this case is useful in two ways. First, it shows that credential-stuffing infrastructure is often simple, noisy, and fragile.
Second, it shows that attacker mistakes can expose the entire operational stack, from worker inventory to live session controls, giving responders valuable intelligence for blocking and takedown work.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Wide Open Botnet Attackers Leave Credential Stuffing Network Vulnerable via Full Admin Leaks appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.