A reported 32 million passwords, as well as usernames and e-mails belonging to Twitter users are being traded on the dark interwebs. However, Twitter is adamant there was no security breach.
Early this morning the site Leaked Source, which runs a database of stolen or leaked credentials, posted an announcement saying it was in possession of 32 million Twitter passwords, usernames and e-mails, which are currently being sold by hackers online. According to this announcement the accounts and passwords seem to be valid, though only about a dozen accounts were checked.
The really interesting bit is that Twitter is adamant that there was no security breach on their end and that the passwords and accounts listed are coming from somewhere else. And there’s strong evidence to show that that’s the case.
For one thing, and indeed this is a very troubling aspect, all the passwords and information are stored in plaintext. No company, let alone one that deals with millions of users and security threats all the time, would store passwords like that. Secondly, the way the data is formatted and the email domains that show up don’t seem to correlate with any known data leak from a company. And lastly there’s a large number of Russians on the list, judging by e-mails addresses, hinting that this trove of data may have originated in Russia.
As such, both Leaked Source and other industry watchers have suggested that the passwords and credentials might be coming from malware that captured them directly on the users’ devices. There are also credible voices saying that this data set may actually be fake, as there’s no significant proof of validity.
In either case, we recommend to abide by best practices when it comes to security and have long and complex passwords, unique logins for every site and enable two-factor authentication whenever possible. Remember these tips and you should be fine, though that’s obviously easier said than done.