Data stolen from more than 32 million Twitter users has been offered for sale on the dark web for 10 bitcoin, or around US$5,800, LeakedSource reported Wednesday. LeakedSource has added the account and email information to its searchable repository of compromised credentials.
The data set came from someone called “Tessa88@exploit.im,” who has been connected to other large collections of compromised data, including the credentials for 425 million MySpace accounts. The Twitter information consists of 32,888,300 records, LeakedSource said, with each record containing such information as email addresses, usernames and passwords.
The information likely came from compromised user systems rather than from a breach of Twitter’s systems, according to LeakedSource.
The hackers were able to infect tens of millions of users’ systems with malware that collected saved username and password information from browsers like Chrome and Firefox, the firm explained.
“We have investigated reports of Twitter usernames/passwords on the dark web, and we’re confident that our systems have not been breached,” tweeted Twitter’s Trust and Information Security Officer Michael Coats.
“We are working with @leakedsource to obtain this info & take additional steps to protect users,” he added.
Although it doesn’t appear that Twitter’s systems were breached, the compromised data presents a serious problem to users and service providers around the world, noted Joe Siegrist, vice president and general manager of LastPass.
“It looks like plain text passwords have been stolen from over 32 million consumers, most likely from their browsers — IE, Chrome, Firefox, Safari,” he told TechNewsWorld.
“While it is heavily weighted towards Russian consumers, it’s impacting people all over the world,” he said.
LeakedSource found in its Twitter data more than 5 million email addresses with the “.ru” domain in them.
“It also means that this isn’t just a Twitter attack — that’s just the data source that’s being traded,” Siegrist continued.
“It means this is an end user plain text password scrape attack which will impact every account the end user saved. Every service provider in the world needs to be on the lookout for nefarious activity,” he warned.
For some Twitter users — those who have turned on two-factor authentication — compromised passwords won’t pose much risk to their accounts. Two-factor authentication requires that in addition to a password, a code — typically sent in the form of a text message to a mobile phone — also must be entered by an account holder.
“If log-in verification is enabled, then the attacker should not be able to access their account, because they don’t have the physical device that’s used to authorize the log-in,” Symantec Senior Security Response Manager Satnam Narang told TechNewsWorld.
While 2FA will protect a user’s Twitter account from compromise, other accounts might be at risk.
“If the Twitter password is reused elsewhere, Twitter two-factor authentication isn’t going to help you on those other accounts,” Trend Micro Global Threat Communications Manager Christopher Budd told TechNewsWorld.
Not reusing passwords may be difficult for many users, though. After all, even Facebook CEO Mark Zuckerberg reused a password for his Twitter account, which was compromised earlier this week.
To Reuse Is Human
“Many of us reuse our passwords. It’s a human habit,” said Rajneesh Chopra, vice presdent for product management at Netskope.
“Just last week, Netflix notified some of its users that they should change their passwords because it was the same one they used for LinkedIn,” he told TechNewsWorld.
Another dubious practice highlighted in the Twitter incident is the storing of credentials in browsers.
“Browsers aren’t the most secure way to store credentials, but it’s the most convenient place to do it,” Chopra said. “Given that we live our digital life in the browser these days, it ends up being the place where people store their passwords.”
Leaks that expose millions of passwords feed the hacker ecosystem, noted Craig Young, a senior security researcher for Tripwire.
“Every password dump helps attackers refine their toolkits,” he told TechNewsWorld, and the passwords can be used to hijack accounts and send spam and malicious links to the accounts’ followers.