Hacker Selling Millions of Stolen Twitter Passwords in the Dark Web
Hackers may have stolen over 32 million Twitter passwords that they are now selling in the dark web. Twitter has said that its systems have not been breached.
Millions of Twitter passwords may have been leaked
Following massive data leaks that have released over half a billion of passwords in the dark web, Twitter is now possibly among the affected sites. In the last month alone, we saw a hacker selling stolen passwords of LinkedIn, MySpace and Tumblr - all the data from years old hacks and network breaches. A Russian hacker, linked to last month's 3 mega breaches is now claiming to have a MASSIVE cache of millions of Twitter account logins for sale. Twitter, however, insists that it hasn't been hacked into.
We are confident that these usernames and credentials were not obtained by a Twitter data breach – our systems have not been breached. In fact, we’ve been working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks. - Twitter
For 10 bitcoins (about $5,807), hacker is selling over 32 millions of email addresses, usernames and plain text passwords. The seller said they obtained 379 million accounts in 2015. LeakedSource, a search engine of hacked data, noted in a blog post that the database that is on sale contains more than 32 million account details, after they removed the duplicates. The site, having obtained a copy itself, has said that the passwords are stored in plain text, and a large number of the data belongs to users in Russia.
Twitter credentials are being traded in the tens of millions on the dark web. LeakedSource has obtained and added a copy of this data to its ever-growing searchable repository of leaked data. This data set was provided to us by a user who goes by the alias "Tessa88@exploit.im", and has given us permission to name them in this blog.
[...] more likely the malware was spread to Russians.
At this point, it appears that these details might have been obtained through malware attacks on users rather breaching Twitter itself. LeakedSource explained that passwords seem to be "stolen directly from consumers, therefore they are in plaintext with no encryption or hashing."
We securely store all passwords w/ bcrypt. We are working with @leakedsource to obtain this info & take additional steps to protect users.
— Michael Coates ஃ (@_mwc) June 9, 2016
Change your Twitter passwords, ASAP...
LeakedSource also revealed that the most commonly used passwords in the database is 123456, followed by 123456789, qwerty, and password. Having a copy of stolen passwords, hackers find it even more easy to target users, especially those who use similar passwords on several sites.
We hope that you are not someone who uses "password" as a password, because that wouldn't require a malware attack or network breach to break into your online accounts. But, whether this is a legitimate leak or simply a list compiled from the already existing pool of passwords, it wouldn't hurt to change your Twitter password.
By the way, Mark Zuckerberg isn't in the dataset - in case you were wondering.