First LinkedIn, Now Twitter ... Hacked User IDs For Sale

Uploaded on 2016-06-13 in TECHNOLOGY-Key Areas-Social Media, TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

There is yet another hack for users of popular social media sites to worry about. Hackers may have used malware to collect more than 32 million Twitter login credentials that are now being sold on the dark web. Twitter says that its systems have not been breached.

“We are confident that these usernames and credentials were not obtained by a Twitter data breach – our systems have not been breached. In fact, we’ve been working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks,” a Twitter spokesperson said.

LeakedSource, a site with a search engine of leaked login credentials, said in a blog post that it received a copy of the user information from “Tessa88@exploit.im,” the same alias used by the person who hacked the data from a Russian social media site.

Other major security compromises which have hit the news recently include a Myspace hack that involved over 360 million accounts, possibly making it the largest one ever, and the leak of 100 million LinkedIn passwords stolen in 2012.

LeakedSource says the cache of Twitter data contains 32,888,300 records, including email addresses, usernames, and passwords. LeakedSource has added the information to its search engine, which is paid but lets people remove leaked information for free.

Based on information in the data (including the fact that many of the passwords are displayed in plaintext), LeakedSource believes that the user credentials were collected by malware infecting browsers like Firefox or Chrome rather than stolen directly from Twitter. Many of the affected users appear to be in Russia—six of the top 10 email domains represented in the database are Russian, including mail.ru and yandex.ru.

Even though Mark Zuckerberg got several of his non-Facebook social media accounts hacked this week, including Twitter, his information wasn’t included in this data set, LeakedSource claims. Zuckerberg was ridiculed for appearing to reuse “dadada” as his password on multiple sites, but results from LeakedSource’s data analysis shows that many people are much less creative. The most popular password, showing up 120,417 times, was “123456,” while “password” appears 17,471 times. An analysis of the VK data also turned up similar results.

In a statement to TechCrunch, Twitter suggested that the recent hijacking of accounts belonging to Zuckerberg and other celebrities was due to the re-use of passwords leaked in the LinkedIn and Myspace breaches.

“A number of other online services have seen millions of passwords stolen in the past several weeks. We recommend people use a unique, strong password for Twitter,” a Twitter spokesperson said. Twitter suggests that users follow the suggestions in its help center to keep their accounts secure. Twitter also posted on its @Support account that it is auditing its data against recent database dumps.

LeakedSource said that it determined the validity of the leaked data by asking 15 users to verify their passwords. All 15 confirmed that the passwords listed for their accounts were correct. However, experts cautioned that the data may not be legitimate.

Michael Coates, Twitter’s trust and information security officer, tweeted that he is confident the social media platform’s systems have not been compromised.

We have investigated reports of Twitter usernames/passwords on the dark web, and we're confident that our systems have not been breached.

“We securely store all passwords w/ bcrypt,” Coates added, referencing a password hashing function considered secure. “We are working with LeakedSource to obtain this info & take additional steps to protect users,” he continued.

Troy Hunt, the creator of a site that catalogs breaches called haveibeenpwned.com, also expressed skepticism about the authenticity of the data. Hunt told TechCrunch that he’d heard rumors of breaches at Twitter and Facebook for several weeks but had yet to see convincing proof. “They may well be old leaks if they’re consistent with the other big ones we’ve seen and simply haven’t seen the light of day yet. Incidentally, the account takeovers we’ve seen to date are almost certainly as a result of credential reuse across other data breaches,” Hunt said.

Whether or not the leaked Twitter credentials are authentic, it never hurts to change your password — especially if you use the same password across several sites. Turning on two-factor authentication also helps keep your account secure, even if your password is leaked.

TechCrunch:

« The FBI Is Looking For A Fight Over Encryption
MI5's Uncontrolled Bulk Data Collection »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ForgeRock

ForgeRock

ForgeRock, the leader in digital identity, delivers comprehensive Identity and Access Management solutions for consumers, employees and things to simply and safely access the connected world.

Clavister

Clavister

Clavister is a network security vendor delivering a full range of network security solutions for both physical and virtualized environments.

Intertek Group

Intertek Group

Intertek Group provides Assurance, Testing, Inspection and Certification services. Activities include cybersecurity testing and certification.

ecsec

ecsec

ecsec is a specialized vendor of security solutions including information security management, smart card technology, identity management, cloud computing and electronic signature technology.

National Authority for Electronic Certification and Cyber Security (AKCESK) - Albania

National Authority for Electronic Certification and Cyber Security (AKCESK) - Albania

AKCESK ensures security for trusted services, in particular reliability and security in electronic transactions between citizens, businesses and public authorities.

Smart Contract Security Alliance

Smart Contract Security Alliance

The Smart Contract Security Alliance supports the blockchain ecosystem by building standards for smart contract security and smart contract audits.

ICS-CSR

ICS-CSR

ICS-CSR is a research conference bringing together researchers with an interest in the security of industrial control systems.

US-Africa Cybersecurity Group (USAFCG)

US-Africa Cybersecurity Group (USAFCG)

USAFCG provides cybersecurity consulting services and delivers training programs for capacity building in Africa.

Secberus

Secberus

SECBERUS creates cloud security technology to help organizations stay secure & compliant in the public cloud.

Cytenna

Cytenna

Cytenna Signal is a suite of SaaS (Software-as-a-Service) products that use AI and machine learning to automatically aggregate the latest information about software vulnerabilities.

UTMStack

UTMStack

UTMStack is a Unified Security Management system that includes SIEM, Vulnerability Management, Network and Host IDS/IPS, Asset Discovery, Endpoint Protection and Incident Response.

RiskSmart

RiskSmart

RiskSmart empower risk, compliance, and legal teams with a tech-led and data-driven platform designed to save time, reduce costs and add real value to businesses.

FusionAuth

FusionAuth

FusionAuth is the customer authentication and authorization platform that makes developers' lives awesome.

nodeQ

nodeQ

At nodeQ, we are pioneering the future of computer networks, leveraging our deep expertise in quantum communication, artificial intelligence, and software-defined networking.

Proton

Proton

Proton provides free encrypted email, calendar, drive, password manager, and VPN services. Building a better Internet.

LeakSignal

LeakSignal

At LeakSignal, we transform the way you monitor and protect your data. We provide unparalleled visibility and control over your sensitive data flows.