Twitter has forced a password reset on an unnamed number of accounts exposed this week in a dump of 32.8 million account names and credentials.
A Russian hacker known as Tessa88 has been involved in a number of recent password disclosures with Twitter being the most recent. He shared the cache of Twitter data with LeakedSource, a service that offers subscribers a searchable database of credentials stolen in breaches. LeakedSource said it turned over the data from Tessa88 to Twitter for further analysis.
“In each of the recent password disclosures, we cross-checked the data with our records. As a result, a number of Twitter accounts were identified for extra protection,” Twitter trust and information security officer Michael Coates wrote today in a blogpost. “Accounts with direct password exposure were locked and require a password reset by the account owner.”
Coates reaffirmed that Twitter was not breached and that the account names and credentials for sale on exploit[.]im were aggregated from other sources online.
In Twitter’s case, LeakedSource surmised that the credentials were obtained through malware infections designed to steal plaintext passwords stored in the browser. Sources at LeakedSource said the data it had was in the clear, and that since Twitter has said it encrypts using Bcrypt, it’s likely they were stolen directly from users.
We securely store all passwords w/ bcrypt. We are working with @leakedsource to obtain this info & take additional steps to protect users.
— Michael Coatesۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗ (@_mwc) June 9, 2016
“That’s just our very, very strong theory based on the proof provided. We’ve seen various types of malware but this would be along the lines of a RAT (remote administration tool),” LeakedSource told Threatpost on Thursday. “Generally these are used to DDoS websites but almost all of them have a single one click button to force your victims to send their browser passwords. It would be the same thing that people did when they hacked TeamViewer users.”
Twitter has made a number of high-profile security hires in recent years and has prioritized HTTPS and forward secrecy deployments to secure sessions. It has also implemented login protections that take things such as location, device and behavior into account in identifying potentially malicious activity. In those cases, Coates said users’ accounts are locked and stay locked until it is reset.
“If your Twitter information was impacted by any of the recent issues – because of password disclosures from other companies or the leak on the ‘dark web’ – then you have already received an email that your account password must be reset,” Coates wrote. “Your account won’t be accessible until you do so, to ensure that unauthorized individuals don’t have access.”
Twitter recommends users take advantage of the two-factor authentication it offers, in addition to using strong passwords, avoid re-using the same password elsewhere online, or use password managers.
In the meantime, exposed Twitter accounts, along with those from MySpace, Tumblr, LinkedIn, VK.com, and TeamViewer, make up more than 600 million credentials exposed in the last 20 days.
“We take security concerns seriously, and investigate issues as they arise, but everyone should also scrutinize the merits of any credential claim,” Coates said. “We’re always focused on the issues that present a real threat to account security.”