Twitter has responded to reports indicating that tens of millions of usernames and passwords for the social media service are currently available on the dark web, specifying that it is "confident the information was not obtained from a hack of Twitter's servers," and that the purported passwords may have come from breaches of other sites and malware hidden on its users' computers.
News that more than 32 million purported Twitter passwords were being traded on the dark web surfaced Wednesday night. A day later, after cross-checking the password dump with its records, Twitter identified some of its accounts as requiring extra protection, locking them and requiring a password reset. It's not clear how many accounts Twitter chose to lock, but the company told the Wall Street Journal the number was in the millions, and that those affected will have already received an email explaining the situation.
Twitter has locked some of the accounts it says were affected
The company has not denied that at least some of the user data on the dark web was accurate, but has distanced itself from the likes of LinkedIn and Myspace, both of whom had user passwords stolen when hackers breached internal databases. Twitter says computers infected with malware capable of scrubbing their owner's login details may be responsible for some of the passwords making their way online, but also shifted the blame onto its recently hacked peers. "When so many breaches are announced in a short window of time, it may be natural to assume that any mention of 'another breach' is true and valid," the company explained in a blog post. "Nefarious individuals leverage this environment in order to either bundle old breached data or repackage accounts from a variety of breaches, and then claim they have login information and passwords for website Z."
People should "scrutinize the merits of any credential claim."
Speaking to Ars Technica, security researcher Troy Hunt said he was "highly skeptical that there's a trove of 32M accounts with legitimate credentials for Twitter," specifying that "the likelihood of that many records being obtained independently of a data breach and them being usable against active Twitter accounts is extremely low." Twitter itself said people should consider news of such "hacks" carefully and "scrutinize the merits of any credential claim."
News of the purported passwords circulating on the dark web was first provided by LeakedSource, a service that claims to allow people to remove themselves from such lists. LeakedSource echoed Twitter's line, telling the Wall Street Journal that it has "very strong evidence that Twitter wasn't hacked, rather the consumer was," identifying formatting techniques that suggested the data was captured from malware-infected computers rather than a master Twitter database.
Twitter took the chance to reiterate safety guidelines in its blog post explaining the situation, advising people not to use the same password across multiple services amid a spate of celebrity Twitter takeovers. Last weekend, Mark Zuckerberg's Twitter account was briefly hacked, the infiltrators gaining access using the same password the Facebook CEO used for his LinkedIn account. That password — "dadada" — was exposed when LinkedIn's database were hacked in 2012.