Recently we heard that close to 32 million Twitter login details were hacked and leaked on the dark web.
Twitter has now confirmed the hack is real but says that the breach didn’t come from them and suggests malware on users’ computers could be the cause.
“We’ve investigated claims of Twitter @names and passwords available on the ‘dark web’, and we’re confident the information was not obtained from a hack of Twitter’s servers,” Michael Coates, Twitter’s security boss, wrote in a blog post.
“The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both.
“Regardless of origin, we’re acting swiftly to protect your Twitter account.”
A blog post published by ‘Leaked Source’ – which has built a database of login data that has been leaked or stolen – revealed the Twitter credentials were being traded on the dark web for 10 bitcoins (£4,000).
It wrote in a blog post: “We have very strong evidence that Twitter was not hacked, rather the consumer was.
“These credentials however are real and valid. Out of 15 users we asked, all 15 verified their passwords.”
Leaked Source suggests users’ data was stolen via malware – based on the fact that many of the stolen passwords were displayed in plaintext.
Coates, who says Twitter secures account credentials using bcrypt, added: “In each of the recent password disclosures, we cross-checked the data with our records.
“As a result, a number of Twitter accounts were identified for extra protection.
“Accounts with direct password exposure were locked and require a password reset by the account owner.”
Here’s what Coates suggests you should do:
1. Enable login verification (e.g. two factor authentication). This is the single best action you can take to increase your account security.
2. Use a strong password that you don’t reuse on other websites.
3. Use a password manager such as 1Password or LastPass to make sure you’re using strong, unique passwords everywhere.