Tens of millions of Twitter account records including cleartext passwords are up for sale on a black market site, the latest cache of bundled credentials for major online services to be made available.
The Twitter records have been analyzed by LeakedSource, which said in a post yesterday that a Russian hacker known as Tessa88 provided it was the data set. Tessa88 has also provided LeakedSource with hundreds of millions of MySpace and VK.com credentials.
An anonymous LeakedSource representative told Threatpost today that Tessa88 is “closer to black [hat] than white.”
“He has some very big connections in the Russian hacker community,” LeakedSource’s representative said. “We know he has access to lots of data and is from Russia.”
LeakedSource said it has 32,888,300 Twitter records containing email addresses, usernames, secondary emails and plaintext passwords. LeakedSource said it does not believe Twitter was breached, but rather the victims had their credentials stolen by malware capable of sniffing passwords stored in Chrome and Firefox.
“That’s just our very, very strong theory based on the proof provided. We’ve seen various types of malware but this would be along the lines of a RAT (remote administration tool),” LeakedSource told Threatpost. “Generally these are used to DDoS websites but almost all of them have a single one click button to force your victims to send their browser passwords. It would be the same thing that people did when they hacked TeamViewer users.”
LeakedSource has shared its data with Twitter. A request for comment from Twitter was not returned in time for publication. It’s believed Twitter could shortly force a password reset on affected users.
The fact that the credentials are in plaintext, LeakedSource said, lends credence to the theory that Twitter was not breached. Instead they were stolen directly from users before they were encrypted.
“Enough of them are so difficult to decrypt that it is unlikely they were stolen from Twitter because they store passwords in Bcrypt,” LeakedSource said, adding that a large number of users in the data set have their passwords set as “” indicating the username is stored in the browser without the password.
A ZDNet report from today says the Twitter passwords are available for 10 Bitcoin, or about $5750 USD.
As for the passwords, the quality is poor. According to LeakedSource, the top Twitter password in the data set is 123456 (120,417 times) with seven other permutations of that in the top 10 along with “qwerty” and “password.”
LeakedSource also theorizes that most of the malware infections were in Russia, given that more than six million email domains in the data set are either mail.ru or yandex.ru domains. Yahoo, Hotmail and Gmail domains round out the top five.
The issue illustrates the risks associated with password reuse where one major collection of credentials can take down user accounts across a number of web-based services.
“Honestly, as an industry we are in some pretty serious denial about passwords and password reuse,” said Jessy Irwin, security empress at AgileBits, the makers of the 1Password password manager. “It’s low hanging fruit for hackers. The security industry focuses on the latest zero days and malware. Meanwhile, passwords are the same as they were 30 years ago – the weakest link in even the most secure system,” she said.
