Twitter Inc (TWTR) confirmed on Friday that hackers have obtained passwords and usernames from some people using the social network, who were victims of malware. The company has locked the affected accounts and is asking users for a password reset.
Earlier this week, LeakedSource announced it had obtained data from nearly 33 million Twitter accounts, provided by a hacker identified as Tessa88@exploit.in. The social network has currently 310 million active users per month.
According to LeakedSource, all credentials may be real. Apparently, data was stolen by malware machines from web browsers such as Chrome and Firefox. On Thursday, Twitter said that is contacting the website to check the alleged information.
Twitter users need to reset their passwords to use them
Michael Coates, Trust and Information Security Officer at Twitter, said that some passwords and users were effectively stolen.
“We’re confident the information was not obtained from a hack of Twitter’s servers,” he remarked in a statement issued Friday.
According to Coates, Twitter is still taking security measures to protect the affected accounts, “regardless of origin” of the data leak. The company cross-checked data provided by LeakedSource with its records.
Twitter determined that some accounts are compromised. As a result, it is adding extra protection to some of them. Owners whose passwords were effectively obtained and exposed by hackers are required to reset their passwords since their profiles have been locked.
We securely store all passwords w/ bcrypt. We are working with @leakedsource to obtain this info & take additional steps to protect users.
— Michael Coates ஃ (@_mwc) June 9, 2016
The social network has sent an email to people affected by leaks on ‘the dark web’
Credentials stored by Twitter are encrypted. According to LeakedSource, passwords offered by hackers are displayed in plain text, because they were obtained through web browsers. Users can subscribe to the site for $0.76, to check if their accounts appear on the database.
People can only check the first three digits of the passwords that are linked to each account. If someone wants to eliminate their data from the list, they can make a request to LeakedSource for free.
“If your Twitter information was impacted by any of the recent issues – because of password disclosures from other companies or the leak on the “dark web” – then you have already received an email that your account password must be reset,” said Coates on Friday.
Twitter security officer has contacted us and will forcibly protect you all from this leak.
— Leaked Source (@LeakedSource) June 9, 2016
Coates added that affected accounts won’t be accessible until a user wants to use it, to prevent unauthorized people from accessing them. Twitter has recommended users to enable the two-step login verification and use services such as 1Password or LastPass.
Twitter explained that hackers could be able to hack multiple accounts at the same time, by introducing data in automatic machines. Users who use the same passwords on different sites could have all their accounts affected as a consequence of just one data leak.
During last week, hackers have released a database of 100 million LinkedIn and 360 million Myspace users, containing information such as emails and passwords. For instance, if someone uses the same password on LinkedIn and Twitter, hackers would be able to get access to both accounts.
According to LeakedSource, the most common password found in the data leak is “123456”, followed by “123456789”, “qwerty” and “password.”
Big or small, we have so many databases left to add that we should be finished in time for our grandkids to be informed.
— Leaked Source (@LeakedSource) June 9, 2016
Source: Twitter Blog