Twitter insists ‘no breach’ as 32m logins go up for auction

10 Jun 2016

In the latest alleged data breach of a major social network, one hacker is claiming to have 32m login details, including passwords, of Twitter users on sale for 10 bitcoins (€4,000).

If this claim by a hacker going under the name Tessa88 is true, this would make Twitter the latest website to find itself on the end of a major breach, following the recent news that a 2013 hack on Tumblr saw more than 65m login details obtained illegally.

Or at least that’s what it would have looked like had the security researchers who revealed the news in a blog post, LeakedSource, not said that it has ‘very strong evidence’ that there was actually no breach of Twitter’s servers.

Future Human

Signs point to malware

Rather, it appears that the details were obtained from the users themselves through a variety of means, but particularly malware that sent saved usernames and passwords from browsers like Chrome and Firefox back to the hackers from all websites, including Twitter.

The data set obtained by LeakedSource reveals 32,888,300 records in total, with each containing the email address and password of the users, many of which showed ‘<blank>’ or ‘null’ as their passwords, which browsers save passwords as in certain circumstances.

As for Tessa88, the data set they obtained will now be put up for auction on the dark web to the highest bidder, with a starting price of 10 bitcoins (€4,000), according to the BBC.

Based on LeakedSource’s findings, Russia was particularly hard-hit with this malware, with 7.4m of the account details originating from the country.

Zuckerberg not included

Following LeakedSource’s announcement of the details being flogged online, Twitter responded to the group, saying that it would be quickly taking action to protect the affected users.

This was then followed up by further tweets from Twitter’s head of security, Michael Coates, who reiterated this while also assuring users its own systems had not been breached.

Interestingly, LeakedSource triple-checked the data set it obtained to see whether Facebook founder’s Mark Zuckerberg’s details were among the list of 32m email addresses.

Zuckerberg recently found himself revealed as a victim of the major 2012 LinkedIn breach, the largest single confirmed case to-date, which not only revealed the password to his account there, but also that of his Twitter and Pinterest accounts, as it was the same.

As it turns out, his details were not included in this new data set.

Twitter login image via ArthurStock/Shutterstock

Colm Gorey was a senior journalist with Silicon Republic