In light of the news that 32 million Twitter credentials were being sold 10 Bitcoin $5,820 on the Dark Web, Twitter still remains in the belief that the information was not obtained from a hack of Twitter’s servers.
In a statement on the Twitter blog, Michael Coates, trust and information security officer at Twitter, said that the names and passwords “may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both”.
The social network has identified a number of Twitter accounts for extra protection and accounts with direct password exposure were locked and require a password reset by the account owner.
Coates said that anyone suspected to have been impacted would have received an email to reset the password, and he encouraged users to enable two-factor authentication on their accounts. Advice on how to do this was presented by security blogger and speaker Graham Cluley.
Coates said that Twitter works very hard every day to protect your account, its data and its systems. “The recent prevalence of data breaches from other websites is challenging for all websites – not just those breached,” he said.
“Attackers mine the exposed username, email and password data, leverage automation, and then attempt to automatically test this login data and passwords against all top websites. If a person used the same username and password on multiple sites then attackers could, in some situations, automatically take over their account. That’s why a breach of passwords associated with website X could result in compromised accounts at unrelated website Y.”
He also said that Twitter uses a variety of methods to protect the network and user accounts on an ongoing basis, including fundamentals like use of HTTPS everywhere for security everywhere, while account credentials are secured using bcrypt.
“We also protect access to accounts by evaluating items such as location, device being used, and login history to identify suspicious account access or behavior. In situations where your password has been directly exposed, you are sent a password reset notification; your account is protected until the owner of the email or phone number resets the password.”
Steph Locke, lead data scientist at CensorNet, said: “Whether Twitter was hacked or not, the danger here lies in the fact that, in all likeliness, these credentials will now be used in so many creative and threatening ways by cyber-criminals. Let's remember that, not only is personal data at stake here, but there is the inevitable knock-on effect as they start trying to see how these details can be used to hack into businesses.
“A lot of businesses use social media, and the marketing teams have a huge amount of networks and cloud applications with company IP in. A password doesn’t protect your data anymore. That system is broken and doesn’t identify a user accurately. Greater contextual analysis of log-on attempts is needed using other data points – location, device, time and so on – to verify a user is legitimate. Clearly using the same password for multiple accounts is never a good idea, but people will continue to do it and, until they stop, we need to make it as difficult as possible for criminals to exploit the situation."