Recently revealed breaches into MySpace and LinkedIn have been followed by someone allegedly selling 32 million leaked Twitter accounts on the dark web. But Twitter spokespeople and the company's information security officer have denied that their security has been compromised, leading some to theorize that info from these accounts was leaked the old-fashioned way: by malware.
A Russian seller with the username "Tessa88" claimed to have the database of usernames, emails and passwords for 32 million accounts, according to ZDNet. The asking price was 10 bitcoins, or about $5,773, as of this writing. The seller noted they acquired the database in 2015 as part of a larger haul of 379 million accounts, far more than Twitter's 310 million monthly users, though that could include dormant ones.
In a prepared statement, a Twitter spokesperson denied that its systems had been hacked, and that the company has "been working to help keep accounts protected by checking our data against what's been shared from recent other password leaks." Twitter's trust and info security officer tweeted last night that the company is confident that its systems weren't breached.
We securely store all passwords w/ bcrypt. We are working with @leakedsource to obtain this info & take additional steps to protect users.— Michael Coates ஃ (@_mwc) June 9, 2016
Instead, the accounts were probably acquired by malware that copied passwords and usernames entered while browsing in Chrome or Firefox, according to LeakedSource. After filtering out duplicates, their analysis of the database confirmed 32 million purported accounts.
There's probably no cause for alarm unless your password is weak, said Microsoft regional director and MVP for developer security Troy Hunt:
Change your Twitter password if it's weak or reused, but they're probably the only reasons to. Oh - and multi-step verification too.— Troy Hunt (@troyhunt) June 9, 2016