In the latest alleged data breach of a major social network, one hacker is claiming to have 32m login details, including passwords, of Twitter users on sale for 10 bitcoins (€4,000).
If this claim by a hacker going under the name Tessa88 is true, this would make Twitter the latest website to find itself on the end of a major breach, following the recent news that a 2013 hack on Tumblr saw more than 65m login details obtained illegally.
Or at least that’s what it would have looked like had the security researchers who revealed the news in a blog post, LeakedSource, not said that it has ‘very strong evidence’ that there was actually no breach of Twitter’s servers.
Signs point to malware
Rather, it appears that the details were obtained from the users themselves through a variety of means, but particularly malware that sent saved usernames and passwords from browsers like Chrome and Firefox back to the hackers from all websites, including Twitter.
The data set obtained by LeakedSource reveals 32,888,300 records in total, with each containing the email address and password of the users, many of which showed ‘<blank>’ or ‘null’ as their passwords, which browsers save passwords as in certain circumstances.
As for Tessa88, the data set they obtained will now be put up for auction on the dark web to the highest bidder, with a starting price of 10 bitcoins (€4,000), according to the BBC.
Based on LeakedSource’s findings, Russia was particularly hard-hit with this malware, with 7.4m of the account details originating from the country.
Zuckerberg not included
Following LeakedSource’s announcement of the details being flogged online, Twitter responded to the group, saying that it would be quickly taking action to protect the affected users.
This was then followed up by further tweets from Twitter’s head of security, Michael Coates, who reiterated this while also assuring users its own systems had not been breached.
We securely store all passwords w/ bcrypt. We are working with @leakedsource to obtain this info & take additional steps to protect users.
— Michael Coates ஃ (@_mwc) June 9, 2016
Interestingly, LeakedSource triple-checked the data set it obtained to see whether Facebook founder’s Mark Zuckerberg’s details were among the list of 32m email addresses.
Zuckerberg recently found himself revealed as a victim of the major 2012 LinkedIn breach, the largest single confirmed case to-date, which not only revealed the password to his account there, but also that of his Twitter and Pinterest accounts, as it was the same.
As it turns out, his details were not included in this new data set.
Twitter login image via ArthurStock/Shutterstock