It has emerged that over 32 million Twitter usernames and passwords are for sale on the dark web.

Twitter DM

The Hack

A hacker is asking 10 bitcoins (roughly $5700) for a copy of the list. The list contains 32,888,300 records, each with a login name, email address and password.

As yet there is no confirmation as to whether the data is valid, and how it was obtained, although initial thoughts are that the data was compiled by malware attacking the users rather than Twitter directly.

Twitter breach unlikely

Twitter Inc (NYSE:TWTR) has said the information almost certainly did not come from a network breach at their end. A twitter blog stated, “we have very strong evidence that Twitter was not hacked, rather the consumer was,” which means they believe a virus or other malware infects the user’s computer, and this then allows password information to be relayed back.

Further, Twitter Inc (NYSE:TWTR)’s head of security Michael Coates has stated, “We have investigated reports of Twitter usernames/passwords on the dark web, and we’re confident that our systems have not been breached.”

Details of the list being in circulation first emanated from Leaked Source, a website which has built a database of leaked or stolen passwords and logins.

Leaked Source also was of the opinion that the data appeared more likely to have come from users as opposed to a central ‘hack’ on Twitter, as suggested by the extra information that is supplied with the list, including where most of the account holders live.

Also, the fact that the information is displayed in plain text means that there is a greater likelihood that it would have come from browsers like Chrome or Firefox.

Analysis of the list shows a high percentage of Russian based accounts. Almost a quarter of the names on the list have Russian email addresses, suggesting the virus was probably most active in Russia. Some have suggested the source of the list is Russian.

The list came from an email address [email protected]

Response

Twitter Inc (NYSE:TWTR) has confirmed it is in dialogue with Leaked Source about verifying the data, and it is, “working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks.”

The sale of this Twitter data comes following the existence of large amounts of data with MySpace (over 300 million) and Tumblr login data, and only last month LinkedIn usernames and passwords were offered for sale.

Some people are not convinced. Security Expert Troy Hunt, who runs a website that allows people to see if their own information is included in hacks and leaks, has said “Just because we’ve seen some serious breaches recently doesn’t mean we should assume new ones are legit.”

People with weak passwords are advised to change their password (regardless of the breach), and those that use the same password across various platforms are also recommended to change their login details.

Even this week, Mark Zuckerberg, founder and CEO of Facebook had his social media accounts hacked. He was widely ridiculed for his ‘dadada’ password, but despite constant warnings (and some websites are now requiring a combination of upper and lower case letter numbers symbols), the two most popular passwords in the cache of names and logins was 123456 and password. Come on People!

Twitter

Twiter, the 140-character social networking site, has over 300 million active users.

Twitter opened down at $14.84 from the previous close $14.95. As of 10.55 EST, the stock is trading at $14.77 (1.16%).

Tags: