What has happened?
LeakedSource is claiming that a database of over 32 million Twitter account credentials is up for sale on the criminal underground – containing details such as users’ Twitter handles, email addresses, and plaintext password.
So Twitter was hacked then?
Jumping to that conclusion too early might be unwise.
Both LeakedSource and Twitter seem to be certain that Twitter itself was not breached. Instead, it seems more likely that the credentials were scooped up by malicious code that had infected users’ computer or originated from a data breach at a third-party site.
Michael Coates, Twitter’s Trust & Info Security Officer, used the platform to reassure users yesterday…
We have investigated reports of Twitter usernames/passwords on the dark web, and we’re confident that our systems have not been breached.
…and later followed up with a blog post:
We’ve investigated claims of Twitter @names and passwords available on the “dark web,” and we’re confident the information was not obtained from a hack of Twitter’s servers.
The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both. Regardless of origin, we’re acting swiftly to protect your Twitter account.
Twitter says that anyone whose credentials were exposed has now had account access blocked as a precautionary step, and that emails have been sent to users containing instructions on how to reset their passwords.
Ok. So maybe Twitter wasn’t hacked. But are the stolen Twitter account credentials legitimate?
It’s unlikely that all the passwords listed in the database will allow hackers to break into the associated Twitter accounts.
Whether that is because the details are incorrect or some of the data is stale and out-of-date is unclear – but if users were using the same password on different online accounts associated with the same username or email address they could continue to present a risk.
The truth is, however, that we simply do not know what proportion of the passwords listed in the database are accurate. The only company who can really confirm the quality of the stolen data is Twitter itself.
What would be wrong (and commit a crime of unauthorised access in many countries around the world) would be to take the database and test each password against its associated account.
For that reason, LeakedSource had to resort to manually contacting 15 of those people listed in the database to verify if it did include their real Twitter password. All 15 replied that the data was accurate.
In the statement published by Twitter today, the company reaffirmed that it had not been breached, but notably failed to give a number for just how many accounts had had their credentials exposed:
“In each of the recent password disclosures, we cross-checked the data with our records. As a result, a number of Twitter accounts were identified for extra protection. Accounts with direct password exposure were locked and require a password reset by the account owner.”
In other words, Twitter is declining to say just now many Twitter accounts have been put at risk as a result of the credentials database being distributed in the computer underground, but at least a “number” of the 32 million credentials were valid, and would have allowed unauthorised users to hijack accounts.
Haven’t a whole bunch of celebrities had their Twitter accounts hacked in recent days? Is that related?
Yes, there have been a lot of high profile Twitter hacks of late. How much of this is because of password reuse and the recently reported mega-breaches at sites like LinkedIn, MySpace andTumblr, or as a result of the credentials currently being offered on the computer underground is unclear.
So what *is* clear?
It’s clear that not enough people are taking their account security seriously. That means having unique, hard-to-crack passwords for every online account you have (a good password manager can assist you in this).
LeakedSource has revealed the most common passwords in the database that is circulating, and it makes for predictably depressing reading.
Passwords of this weak quality as this are as strong as tissue paper.
But more than that, sensible account security means enabling two-step verification (2SV) or two-factor authentication where available to benefit from a higher level of protection than relying on passwords alone.
Twitter calls its version of 2SV “Login Verification” and it requires users to not only give a username and password to connect to their site, but to also enter a one-time-password which is either sent to them as an SMS message to their mobile phone, or via a smartphone app like Google Authenticator.
The principle is that even if a hacker comes to learn your password, chances are that they don’t have access to your mobile phone and so will still not able to access your account.
Frankly, you’re playing a dangerous game if you have social media accounts and are not using additional layers of defence to help prevent them being compromised by hackers.
by Graham Cluley, ESET We Live Security