It’s recently been revealed that data has been stolen from over 32 million Twitter users and offered for sale on the dark web for 10 bitcoin, a joint price of about US$5,800. LeakedSource made the sale public and added the account and email information to its searchable repository of credentials that have become compromised.
Apparently the data set came from a user called Tessa88@exploit.im, a username that has been connected to other large collections of compromised date including the credentials for over 425 million Myspace accounts that made headlines a few weeks back. The Twitter information includes over 32 million records with each one containing email addresses, usernames and passwords.
According to LeakedSource, that information likely originated from compromised user systems as opposed to a breach of Twitter’s systems, meaning that the hackers responsible infected tens or millions of users’ systems with malware that then collected saved usernames and passwords from browsers like Chrome and Firefox.
“We have investigated reports of Twitter usernames/passwords on the dark web, and we’re confident that our systems have not been breached,” tweeted Twitter’s Trust and Information Security Officer Michael Coats, or the hacker that was posing to be him. “We are working with @leakedsource to obtain this information & take additional steps to protect users.”
As stated earlier, it appears that Twitter’s systems were not breached to obtain the data. That said, the fact that all that data has been compromised poses a major problem for users and service providers alike on a global level. As Joe Siegrist, vice president and general manager of LastPass stated,
“It looks like plain text passwords have been stolen from over 32 million consumers, most likely from their browsers, i.e. Chrome, Firefox, Safari… While it is heavily weighted towards Russian consumers, it’s impacting people all over the world.”
“It also means that this isn’t just a Twitter attack- that’s just the data source that’s being traded,” continued Siegrist. “It means this is an end user plain text password scrape attack which will impact every account the end user saved. Every service provider in the world needs to be on the lookout for nefarious activity.”
While the attack is certainly disconcerting to all Twitter users, those with two-factor authentication aren’t likely to have the security of their accounts significantly compromised. Two-factor authentication requires that the person logging in not only provide a password, but a code must also be sent by an account holder, generally in the form of a text to a mobile phone.
“If log-in verification is enabled, then the hacker should not be able to access their account, because they don’t have the physical device that’s used to authorize the log-in,” explained Symantec Senior Security Response Manager Satnam Narang. That said, even if the 2FA protects a person’s Twitter account, if the user uses the same password for other accounts, they may have other issues on their hands.
“If the Twitter password is reused elsewhere, Twitter two-factor authentication isn’t going to help you on those other accounts,” explained Trend Micro Global Threat Communications Manager Christopher Budd.