Twitter has confirmed that millions of Twitter account logins have been exposed by hackers on the dark web. More than 32 million Twitter account details have appeared on the website LeakedSource, a search engine that contains nearly two billion online account credential leaks. The total number of legitimate leaked account credentials is unclear, as Twitter has confirmed that millions of the published credentials were not valid.
In a blog post, Twitter reported that it had obtained the leaked data and is cross-checking it against their records to determine which accounts may be vulnerable. The company is securing potentially vulnerable accounts by monitoring location, device used and login history for unusual behavior. Affected users should already know if they’ve been hacked via an alert from Twitter. Affected accounts have been locked and their passwords must be reset by the account holder to regain access.
Twitter says the breach did not come from its servers, a claim backed by a report from LeakedSource. The company contends that the credentials were most likely amassed from combining information from other recent breaches involving malware on victim machines. However, a definite determination of how the account information was obtained has not yet been made.
A Russian hacker, who goes by Tessa88, is reportedly selling a cache containing email addresses, passwords and usernames of 379 million Twitter accounts for 10 bitcoins, or roughly $5,810, according to ZDNet. The publication has also reported the seller had links to the recent breaches of LinkedIn and Myspace. In May, 360 million Myspace credentials and 100 million LinkedIn credentials went up for sale. An unidentified hacker selling users’ login information said that the data was privately offered to spammers and others targeting specific individuals’ accounts before it was announced for public sale.
Security researchers advised Twitter users to change their passwords and enable two-factor authentication. This authentication process that requires a user to verify their identity with a pincode sent to a trusted device to log into the service. Users should also maintain a valid email address for receiving password reset notifications and use a password manager so you can easily create unique passwords for the different sites you visit.