32.8 Million Twitter Credentials May Have Been LeakedBreach Notification Site LeakedSource Claims Users Were Targeted by Malware
This story has been updated.
More than 32.8 million Twitter credentials have been compromised and are being offered for sale on the dark web, claims LeakedSource, a subscription-based breach notification service. But some security experts question whether the credentials are current and authentic.
"Each [Twitter] record may contain an email address, a username, sometimes a second email and a visible password," LeakedSource reports in a blog. "We have very strong evidence that Twitter was not hacked, rather the consumer was. These credentials, however, are real and valid. Out of 15 users we asked, all 15 verified their passwords."
In two tweets, Michael Coates, Twitter's trust and information security officer, said he was confident Twitter's systems had not been compromised.
We securely store all passwords w/ bcrypt. We are working with @leakedsource to obtain this info & take additional steps to protect users.— Michael Coates ஃ (@_mwc) June 9, 2016
LeakedSource claims that the data leak stems from malware infecting users' devices, "and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter."
The "proof for this explanation," LeakedSource says, is:
- The join dates of some users with uncrackable (yet plaintext) passwords were recent. "There is no way that Twitter stores passwords in plaintext in 2014 for example."
- There was a very significant amount of users with the password "
" and "null". "Some browsers "store passwords as " " if you don't enter a password when you save your credentials."
- The top email domains don't match up to a full database leak, "more likely the malware was spread to Russians." Many of the top 10 email domains targeted are Russian, the company reports.
Passwords were stolen directly from consumers; therefore, they are in plaintext with no encryption or hashing, LeakedSource says. "Remember that Twitter probably doesn't store the passwords in plaintext, Chrome and Firefox did."
LeakedSource says its source for the Twitter data is a user who goes by the alias "Tessa88@exploit.im," a mysterious figure who has recently supplied LeakedSource with several other batches of data for free related to a number of other social media breaches, including LinkedIn, MySpace and most recently, the international social networking site Badoo.com and the Russian site VK.com, also known as Bkohtakte or Vkontakte (see LeakedSource: Assume Every Website Has Been Hacked).
It's unclear why Tessa88 is releasing the data now because most of the breaches appear to have actually occurred years ago.
LeakedSource did not immediately reply to Information Security Media Group's request for comment.
Are the Credentials Authentic?
Troy Hunt, who runs the data breach notification service Have I Been Pwned, is skeptical about the authenticity of the apparently leaked credentials. "It looks almost certain that this isn't a breach of Twitter itself, rather an aggregation of data from unknown sources. It's highly unlikely there are 32 million credentials in there that are usable against Twitter accounts. I haven't seen the data myself, but I trust Twitter's position in terms of it not coming from their system."
Lysa Myers, security researcher at the security firm ESET, says there are oddities in the Twitter incident, as well as some of the earlier social media breaches recently revealed.
"The Twitter leak, like the MySpace leak, does have some very curious data," she says. "There are a lot of the expected passwords, but then there are several which were apparently chosen by thousands of users that are very odd. Over 20,000 users referencing one specific date in 1961 seems particularly peculiar."
It's plausible that the Twitter leak represents many years' worth of phished credentials, Myers says. "I suspect, like the MySpace leak, that the data is fairly old given that Hotmail and Yahoo are the second and third most popular domains" in the supposed compromised Twitter data set.
"With all the legitimate threats that are happening every day, I fear that shouting about the leak of probably ancient data will contribute to 'breach fatigue,'" Myers says.