Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

32 Million Twitter Credentials Emerge on Dark Web

32 Million Twitter Account Derails for Sale

32 Million Twitter Account Derails for Sale

A hacker claims to be sitting on more than 32 million Twitter account credentials with plans to sell the account details on the Dark Web.

News of the alleged leak comes after millions of LinkedIn (167 million), Myspace (360 million), Tumblr (65 million), and VK (170 million) user accounts were leaked online.

The cybercriminal behind the claimed Twitter leak is the same hacker who was previously attempting to sell stolen data from Myspace, Tumblr and VK user accounts, namely [email protected]. The Twitter credentials have already made it online on paid search engine for hacked data LeakedSource, which says it received a total of 32,888,300 records, each containing user’s email address, username, possibly a second email, and a password.

According to the website, they contacted 15 impacted users and all of them verified that the passwords included in the leak are real, and they believe that the data set is the real deal. However, LeakedSource notes that the data leak might have not been the result of Twitter being hacked, but rather the users being compromised.

The search engine also notes that “123456” was the password occurring the most in the leak (120,417 times), followed by “123456789” (32,775 occurrences) and “qwerty” (22,770 occurrences). Moreover, they reveal that “@mail.ru” (5,028,220), @yahoo.com (4,714,314), @hotmail.com (4,520,434), @gmail.com (3,302,205) and @yandex.ru (1,020,757) were the top email domains in the data set.

These credentials were supposedly acquired with the help of information stealing malware designed to harvest them from browsers and other applications. Twitter has been using strong encryption when storing passwords for several years now, and it would make it impossible for newly created, very strong passwords to leak in plaintext if it wasn’t for malware compromising the user.

In fact, Michael Coates, Trust & Info Security Officer at Twitter, says that the company is storing all passwords with bcrypt, which should keep sensitive user data safe. He also notes that the social platform is working with LeakedSource in investigating the incident.

 What is yet unclear is how old the supposedly leaked data is, since LeakedSource doesn’t provide specific details on that, although they do suggest that some credentials might be only a couple of years old. Furthermore, IT Security expert Sorin Mustaca tells SecurityWeek that the manner in which these credentials were stolen isn’t that clear either.

“Interesting enough, Leakedsource writes that they “very strong evidence that Twitter was not hacked”, rather the users got infected with some malware which stole credentials directly from the browsers of any account, not only Twitter’s,” Mustaca says. “However, there is no clear evidence presented that this is indeed the case. Their explanation for malware stealing credentials from browser is not entirely valid.”

Although malware that targets browsers to steal user data is not unheard of, Mustaca explains that browsers store credentials encrypted, and that a master password is required to decrypt them. “Sometimes this password is the logged on user’s password, sometimes it is independent of the logged on user. But there is always a password,” he says.

According to Mustaca, the question that we need to ask ourselves is how the hacker ended up obtaining exactly Twitter accounts and the password in plain text. “And where are the other accounts?,” Mustaca also asks. If malware was indeed used to harvest these credentials, the attacker should have ended up with a whole lot of other user data as well, pertaining to other online services.

 In the end, there is a great chance that this Twitter password leak might have been fabricated, as Australian security researcher Troy Hunt, who maintains the Have I Been Pwned service, says. In a tweet, he notes that fake breaches did emerge recently, and says in another that, although we’ve seen some major breaches recently, it doesn’t mean that new ones are real.

On its official support account, Twitter noted a couple of days ago that it was already looking at the data that emerged in the recent data leaks to see if there is a connection with what people use on its service. “To help keep people safe and accounts protected, we’ve been checking our data against what’s been shared from recent password leaks,” the company said.

If there is one thing that the previous major data breaches taught us, is that people should never re-use a password on multiple accounts and that they should always secure their accounts with strong, difficult to guess passwords. “123456”, “password”, or “qwerty” are the first passwords that
an attacker will try when attempting to breach an account, and users should steer clear of them.

 The recent series of high profile breaches has already triggered reactions from tech companies and online services. TeamViewer struggles with a flood of reports from users being hacked but says it hasn’t been compromised, Reddit decided to prompt users to reset their passwords to avoid account takeovers, while Microsoft announced that it is banning commonly used passwords from its services.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.