Tens of millions of Twitter logins are being traded on the digital underground, but Twitter says it was not hacked.
So how could the logins have been obtained? One candidate: password reuse—that is, people affected by data breaches at other services using the same password on Twitter.
"We are confident that these usernames and credentials were not obtained by a Twitter data breach—our systems have not been breached. In fact, we've been working to help keep accounts protected by checking our data against what's been shared from recent other password leaks," a Twitter spokesperson told Motherboard in an email. Michael Coates, trust and information security officer at Twitter, tweeted that the company stores passwords with the robust hashing algorithm bcrypt.
We have investigated reports of Twitter usernames/passwords on the dark web, and we're confident that our systems have not been breached.
— Michael Coates ஃ (@_mwc) June 9, 2016
When someone reuses a password across websites, all a hacker needs to do is check if a password and email combination from a hacked site works on other services, and if there aren't any extra security measures, they're in. Not reusing passwords is one of the most simple security ideas to grasp, but one that many people ignore.
"A number of other online services have seen millions of passwords stolen in the past several weeks. We recommend people use a unique, strong password for Twitter," the Twitter spokesperson added.
We recently learned that the 2012 LinkedIn data breach was much larger than previously thought, totalling in at over 177 million hashed passwords (which were quickly cracked). MySpace had 362 million full records dumped, although the site did modify passwords by trimming and putting them into lower case. Hackers also managed to rip 65 million hashed passwords from Tumblr. And just a few days ago, 100 million accounts for VK, Russia's Facebook, were put for sale on the dark web.
The perils of reusing passwords have been made all too clear
Some of those dumps have led to a wave of high profile accounts on other sites being targeted. Facebook's Mark Zuckerberg is reported to have used the same password on his Twitter and Pinterest as he did for LinkedIn. Kylie Jenner, Lana Del Rey and Drake also had social media accounts hacked.
Curiously, however, many of the Twitter email addresses being traded as part of this recent cache don't appear to be included in Have I Been Pwned, a breach notification service run by security researcher Troy Hunt which has listed accounts affected by many of the hacks above. This indicates that these accounts may have been compromised in some other hack. Hunt's site does not yet host the VK.com data.
For its part, LeakedSource, another notification site, believes that individual Twitter users were infected with malware and their logins harvested that way. There is also the chance that some sort of third party application that had access to Twitter data was breached, and information stolen from that.
But regardless the details of the Twitter breach, the perils of reusing passwords have recently been made all too clear. If the past few weeks haven't convinced people of these dangers, I just don't know what will.
There's never been a better opportunity to realize this, and take the small, pretty painless steps to drastically improve your digital security. Take an hour or so out of your day to download or sign up to a password manager, such as LastPass or KeePass, which will generate unique passwords for every site, and then store them securely, and go and change all of your logins.