Customer data for tens of millions of Twitter users has appeared for sale on the dark Web, but the information doesn’t seem to have been obtained through a breach of Twitter’s systems.
“We are confident that these usernames and credentials were not obtained by a Twitter data breach — our systems have not been breached,” a Twitter spokesperson told us this afternoon. “In fact, we’ve been working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks.”
The release of over 32 million Twitter user records appears to have happened because the systems of those users were infected by malware, according to LeakedSource, a recently launched effort to search for hacked, leaked or stolen databases online. Those malware infections enabled hackers to obtain saved and protected information from users’ browsers, LeakedSource reported.
Twitter Systems ‘Not Breached’
LeakedSource obtained a copy of Twitter user data from someone using the alias, “Tessa88@exploit.im,” according to a post published yesterday on the LeakedSource blog. The data set included e-mail addresses, usernames and passwords.
“We have very strong evidence that Twitter was not hacked, rather the consumer was,” LeakedSource said in the post. “These credentials however are real and valid. Out of 15 users we asked, all 15 verified their passwords.”
Michael Coates, Twitter’s trust and information security officer, echoed LeakedSource’s conclusion in a tweet late last night. “We have investigated reports of Twitter usernames/passwords on the dark Web, and we’re confident that our systems have not been breached,” he said.
Coates noted in a second tweet that Twitter stores all passwords securely using bcrypt, which hashes passwords into strings of characters and symbols. Bcrypt provides stronger password protection than some other cryptographic hash functions like SHA-1. Twitter is working with LeakedSource “to obtain this info & take additional steps to protect users,” Coates said.
Attempts To Peddle Data from Mega Breaches
Security developer Troy Hunt told us today that this latest dump of Twitter user information is “totally different” from other large-scale security breaches such as those that have hit LinkedIn, MySpace and other sites. Hunt provides online security training through Pluralsight and also runs the breach-related site, Have I been pwned?
“It looks almost certain that this isn’t a breach of Twitter itself, rather an aggregation of data from unknown sources,” Hunt said. “It’s highly unlikely there are 32 million credentials in there that are usable against Twitter accounts.”
Over the span of just a couple of weeks last month, user data obtained from hacks of multiple sites over past years has appeared for sale on the dark Web. Totaling more than 600 million passwords, the information on offer has included data from LinkedIn, Fling, Tumblr and MySpace.
As with previous dumps of usernames and passwords, the data appearing for sale from Twitter users showed that many people are still using easily cracked passwords such as “123456,” “qwerty” and “password,” LeakedSource reported.
