Millions of Twitter Credentials Up for Sale for Less Than a Cent Each

A hacker, who has links to the recent MySpace, LinkedIn and Tumblr data breaches, is claiming another trophy: Millions upon millions of Twitter accounts.

The Russian hacker, going by the handle Tessa88, is selling a cache of 32 million records for 10 Bitcoin on the Dark Web. It’s another example of how little account credentials are going for these days: 10 Bitcoin is the equivalent of around $5,820, which works out to less than a cent each.

Tessa88 took credit for the heist, in speaking to Leaked Source. That company, as its name suggests, is a leaked credentials database aggregation specialist (yes, there is such a thing). The site said that after checking out the database, it appears legitimate; several records (at least 15) have been confirmed. Each record in the database may contain an email address, a username, sometimes a second email and a visible, clear-text password.

Incidentally, Mark Zuckerberg isn't in the data set, which brings up another point: This haul is old (a fact that accounts for the dirt cheap price-tag). The seller said that this is merely a fraction of the 374 million records he or she has under their hoodie—and that he or she has been lifting credentials as far back as 2015. The plain text passwords would appear to bear this out: Twitter eliminated clear-text passwords and has been hashing them since 2015.

That said, it’s unlikely that Twitter was breached, it said, but rather, the tweeters were.

“The explanation for this is that 10s of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter,” it said in a blog post.

"We are confident that these usernames and credentials were not obtained by a Twitter data breach—our systems have not been breached,” Twitter said in a statement. “In fact, we've been working to help keep accounts protected by checking our data against what's been shared from recent other password leaks."

Amit Ashbel, director of product marketing and cybersecurity evangelist at Checkmarx, told us that the fact that this is a new leak of an old steal isn’t surprising.

"I would start by stressing that this is regular practice by criminals,” he said. “Once they manage a large hack they will always save something for a rainy day. The fact that these are now being sold online indicates to me more than anything else that the hacker needs cash and now is the time to pop out that old stash and sell to the highest bidder.” 

If the credentials were indeed harvested from individual browsers' password stores, what can end users do to avoid their credentials ending up on Leaked Source and the Russian underground? Tod Beardsley, security research manager at Rapid7, told Infosecurity that using a password wallet is a good idea.

“We often recommend people save their passwords off in dedicated password management systems such as KeePass, 1Password or LastPass,” he said. “It's just too easy for malware to pick up credentials stored in the default browser password stores as these databases usually lack appropriate access controls.”

And, to take a lesson from the Zuck, avoid password re-use. The Facebook CEO had his Twitter and Pinterest accounts hacked last weekend, with the hackers sourcing his password from the LinkedIn data breach last month (his password was reportedly, “dadada”).

Photo © Robert Lucian Crusitu

What’s Hot on Infosecurity Magazine?