32 Million Twitter Accounts May Have Been Hacked
While Twitter was saying its systems have not been breached, more than 32 million Twitter login credentials may be available for sale on the Dark Web.
LeakedSource, a site that sells access to a searchable database of breached data, said the Twitter data contains 32,888,300 records, including email addresses, usernames and passwords. Many of the affected users appear to be in Russia.
LeakedSource is allowing Twitter users to remove their personal information, which they obtained from Tessa88@exploit.im, for free. They believe the data was stolen via malware infecting browsers like Firefox or Chrome rather than from Twitter.
“We are confident that these usernames and credentials were not obtained by a Twitter data breach–our systems have not been breached. In fact, we’ve been working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks,” a Twitter spokesperson said.
To validate the data, LeakedSource asked 15 users to verify their passwords. All 15 were correct. However, Michael Coates, Twitter’s trust and information security officer, and other experts say the information may not be legitimate.
“We securely store all passwords w/ bcrypt,” said Coates. “We are working with LeakedSource to obtain this info & take additional steps to protect users,” he continued.
Troy Hunt, creator of haveibeenpwned.com, also said he had not seen convincing proof this data was authentic.
“They may well be old leaks if they’re consistent with the other big ones we’ve seen and simply haven’t seen the light of day yet. Incidentally, the account takeovers we’ve seen to date are almost certainly as a result of credential reuse across other data breaches,” Hunt said.