Twitter data breach – “Our systems have not been breached”
There is no evidence of a Twitter data breach
32,888,300 login details of Twitter users have been put up for sale on the Dark Web. A user going by the alias Tessa88@exploit.im is asking for 10 bitcoins (£4060.20 at todays exchange rate) from anyone that wants a copy of the list. Twitter however, is confident that this is not a breach of its network.
It is believed that the details may have been gathered from combining information from other recent website breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both. Twitter has cross-checked data with their own records and Twitter accounts identified for extra protection have been locked and require a password reset by the account owner.
LeakedSource, a site that keeps a database of leaked login credentials, added a copy of the data to their searchable repository of leaked data. Credentials on the list have been verified as real and valid and LeakedSource use the following explanation as proof this was not a Twitter data breach.
The join dates of some users with uncrackable (yet plaintext) passwords were recent. There is no way that Twitter stores passwords in plaintext in 2014 for example.
There was a very significant amount of users with the password “<blank>” and “null”. Some browsers store passwords as “<blank>” if you don’t enter a password when you save your credentials.
The top email domains don’t match up to a full database leak, more likely the malware was spread to Russians.
LeakedSource also list some of the passwords Twitter users use and it shows that there are a lot of people who are not following good password practices. You can read an earlier post of mine regarding password security and if you are using simple passwords and/or using them on multiple sites, change your habits now.
There is also a large concern of malware harvesting credentials, not just for Twitter but for any website that your browser may have saved passwords for. Check your computer regularly for viruses and malware, if you don’t feel confident in doing this, take your computer to a local computer repair company and ask them to check for you.