33 MILLION TWITTER ACCOUNTS HACKED
A hacker claims to be selling 33 million Twitter login credentials, including passwords. Twitter has confirmed and warned the users whose accounts may have affected. It also locked some accounts and sent a password reset request.
The leak follows a string of high profile Twitter accounts being hacked, including those belonging to Katy Perry, Drake, Mark Zuckerberg and Evan Williams. It's hard to say whether those hacks are related to this latest password leak. But there is a possibility.
An analysis of the database by LeakedSource, a breach notification site which received the database from the seller on Wednesday, showed there are in fact over 32 million purported accounts in the database, after duplicates were removed.
EVAN WILLIAMS : TWITTER FORMER'S CEO |
LeakedSource said in a blog post that it was unlikely that Twitter was breached, and pointed to malware as the culprit.
"The explanation for this is that tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter," the blog post said.
The group said it was able to verify the passwords associated with 15 users. LeakedSource shared a portion of the database with me. Two colleagues whose email addresses were in the database were able to verify their password. A third colleague said they had not used the email address found in the database to join Twitter.
LeakedSource said that the passwords were likely "stolen directly from consumers, therefore they are in plaintext with no encryption or hashing." The groups said it did not believe that Twitter stored data in plain-text at the time the data was taken, thought to be around 2014.
"These credentials however are real and valid," said the group. "The lesson here? It's not just companies that can be hacked, users need to be careful too."
As we've seen in recent data breaches, the most common password was "123456," with the third and fourth password being "qwerty" and "password" respectively.
A Twitter spokesperson said in prepared statement: "We are confident that these usernames and credentials were not obtained by a Twitter data breach -- our systems have not been breached. In fact, we've been working to help keep accounts protected by checking our data against what's been shared from recent other password leaks."
In a recent tweet, the company also said that it periodically checks its data against recent password leaks to ensure that accounts stay secure.