A massive cache of credentials and email addresses associated with Twitter accounts has been posted for sale online, but Twitter officials say the information did not come from a breach of the company’s network.
The database of more than 32 million passwords and email addresses–including many plaintext passwords–was offered for sale on an underground forum in Russia this week. The site LeakedSource, which aggregates leaked credentials from data breaches in a searchable database, has posted the list of credentials and speculates in an introduction to the cache that the stolen data came from malware installed on users’ machines rather than a breach at Twitter itself.
“We have very strong evidence that Twitter was not hacked, rather the consumer was. These credentials however are real and valid. Out of 15 users we asked, all 15 verified their passwords,” the LeakedSource post says.
“The explanation for this is that tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter.”
Twitter officials said on Thursday that they don’t believe the information in the credential dump came from a breach at Twitter itself.
“We have investigated reports of Twitter usernames/passwords on the dark web, and we’re confident that our systems have not been breached,” said Michael Coates, trust and information security officer, at Twitter.
Coates said that all Twitter passwords are stored securely and hashed with Bcrypt. He added that the company is working with LeakedSource to get access to the credential cache in order to verify it and try to determine the source. LeakedSource said the passwords are in plaintext, which indicates they didn’t come from Twitter, and likely were extracted from individual users instead. Six of the top 10 email domains listed in the database of credentials are in Russia.
And, as you might expect, the most commonly used passwords found in the dump are spectacularly bad, including 123456, 123456789, qwerty, and the always-popular “password”. Even though the data likely didn’t come from a breach at Twitter, it’s probably not a bad idea to change your Twitter password if you have any suspicions that your credentials might be in the database.