A hacker claims to be sitting on more than 32 million Twitter account credentials with plans to sell the account details on the Dark Web.
The cybercriminal behind the claimed Twitter leak is the same hacker who was previously attempting to sell stolen data from Myspace, Tumblr and VK user accounts, namely Tessa88@exploit.im. The Twitter credentials have already made it online on paid search engine for hacked data LeakedSource, which says it received a total of 32,888,300 records, each containing user’s email address, username, possibly a second email, and a password.
According to the website, they contacted 15 impacted users and all of them verified that the passwords included in the leak are real, and they believe that the data set is the real deal. However, LeakedSource notes that the data leak might have not been the result of Twitter being hacked, but rather the users being compromised.
The search engine also notes that “123456” was the password occurring the most in the leak (120,417 times), followed by “123456789” (32,775 occurrences) and “qwerty” (22,770 occurrences). Moreover, they reveal that “@mail.ru” (5,028,220), @yahoo.com (4,714,314), @hotmail.com (4,520,434), @gmail.com (3,302,205) and @yandex.ru (1,020,757) were the top email domains in the data set.
These credentials were supposedly acquired with the help of information stealing malware designed to harvest them from browsers and other applications. Twitter has been using strong encryption when storing passwords for several years now, and it would make it impossible for newly created, very strong passwords to leak in plaintext if it wasn’t for malware compromising the user.
In fact, Michael Coates, Trust & Info Security Officer at Twitter, says that the company is storing all passwords with bcrypt, which should keep sensitive user data safe. He also notes that the social platform is working with LeakedSource in investigating the incident.
We have investigated reports of Twitter usernames/passwords on the dark web, and we’re confident that our systems have not been breached.
— Michael Coates ஃ (@_mwc) June 9, 2016
What is yet unclear is how old the supposedly leaked data is, since LeakedSource doesn’t provide specific details on that, although they do suggest that some credentials might be only a couple of years old. Furthermore, IT Security expert Sorin Mustaca tells SecurityWeek that the manner in which these credentials were stolen isn’t that clear either.
“Interesting enough, Leakedsource writes that they “very strong evidence that Twitter was not hacked”, rather the users got infected with some malware which stole credentials directly from the browsers of any account, not only Twitter’s,” Mustaca says. “However, there is no clear evidence presented that this is indeed the case. Their explanation for malware stealing credentials from browser is not entirely valid.”
Although malware that targets browsers to steal user data is not unheard of, Mustaca explains that browsers store credentials encrypted, and that a master password is required to decrypt them. “Sometimes this password is the logged on user’s password, sometimes it is independent of the logged on user. But there is always a password,” he says.
According to Mustaca, the question that we need to ask ourselves is how the hacker ended up obtaining exactly Twitter accounts and the password in plain text. “And where are the other accounts?,” Mustaca also asks. If malware was indeed used to harvest these credentials, the attacker should have ended up with a whole lot of other user data as well, pertaining to other online services.
In the end, there is a great chance that this Twitter password leak might have been fabricated, as Australian security researcher Troy Hunt, who maintains the Have I Been Pwned service, says. In a tweet, he notes that fake breaches did emerge recently, and says in another that, although we’ve seen some major breaches recently, it doesn’t mean that new ones are real.
On its official support account, Twitter noted a couple of days ago that it was already looking at the data that emerged in the recent data leaks to see if there is a connection with what people use on its service. “To help keep people safe and accounts protected, we’ve been checking our data against what’s been shared from recent password leaks,” the company said.
If there is one thing that the previous major data breaches taught us, is that people should never re-use a password on multiple accounts and that they should always secure their accounts with strong, difficult to guess passwords. “123456”, “password”, or “qwerty” are the first passwords that an attacker will try when attempting to breach an account, and users should steer clear of them.
The recent series of high profile breaches has already triggered reactions from tech companies and online services. TeamViewer struggles with a flood of reports from users being hacked but says it hasn’t been compromised, Reddit decided to prompt users to reset their passwords to avoid account takeovers, while Microsoft announced that it is banning commonly used passwords from its services.