Just days after Facebook czar Mark Zuckerberg’s social media accounts were found to be hacked, it appears that more folks will need to change their passwords.
ZDNet reported that a Russian hacker claimed to have a massive cache of millions of Twitter account logins for sale, for 10 bitcoins or about $5,807. LeakedSource, which indexes hacked credentials from data breaches, noted in a blog post that the database, of which it received a copy, contains more than 32 million accounts.
The site explained that the passwords were stored as plain text and several of them seemed to belong to users in Russia. As such, it’s more likely that these credentials were obtained through malware attacks on users rather than a breach of Twitter’s systems.
LeakedSource added that the most commonly occurring password in the database is ‘123456’, followed by ‘123456789’, ‘qwerty’ and ‘password’. That’s dangerous because it means the accounts these are associated with could be hacked with just a little guesswork and wouldn’t even require malware.
The real danger is that many people use the same password on several sites; if an attacker gets a single user’s account for one online service, they could likely access other accounts like their email inboxes and cloud storage.
The news comes shortly after it was reported that hundreds of millions of Myspace and Tumblr credentials were put up for sale last week. In May, a Russian hacker claimed to have 117 million LinkedIn accounts available for just 5 bitcoins ($2,200).
Update: A Twitter spokesperson said, “We are confident that these usernames and credentials were not obtained by a Twitter data breach – our systems have not been breached. In fact, we’ve been working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks.”
Twitter’s Trust & Info Security Officer Michael Coates tweeted about the company’s investigation into the matter:
We securely store all passwords w/ bcrypt. We are working with @leakedsource to obtain this info & take additional steps to protect users.
— Michael Coates (@_mwc) June 9, 2016
Update 2: In a blog post, Twitter said that it’s identified actual accounts disclosed in the database and is locking some of them for those users’ safety:
The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both. Regardless of origin, we’re acting swiftly to protect your Twitter account.
In each of the recent password disclosures, we cross-checked the data with our records. As a result, a number of Twitter accounts were identified for extra protection. Accounts with direct password exposure were locked and require a password reset by the account owner.
If you’re keen on protecting your Twitter account, your best bet would be to change your password now and enable two-factor authentication.