The credentials of more than 32 million Twitter users have reportedly been stolen and leaked—but with this particular mega-breach, the twist is that it doesn’t seem to have been Twitter itself that was the source of the data.
There has recently been a spate of user credentials from services such as LinkedIn and MySpace turning up in the online underground, but in each of these cases the data appeared to have come from a breach of the service provider’s systems—a tell-tale sign being that the passwords were (badly) encrypted.
Those breaches become public through a shadowy site called LeakedSource, that lets people see whether their credentials have been included in particular leaked datasets. LeakedSource is again the conduit for this latest tranche of data, but its proprietors reckon the Twitter credentials were stolen from the users’ browsers. Twitter is also adamant that it wasn’t itself hacked.
“We are confident that these usernames and credentials were not obtained by a Twitter data breach—our systems have not been breached,” Twitter said in a statement. “In fact, we’ve been working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks.”
In a blog post, LeakedSource said the dataset included passwords from people who had signed up to Twitter as recently as 2014, but the passwords had been stored in “plaintext,” with no attempt to encrypt them. In line with being a large, prominent web firm, Twitter isn’t so careless with its customers’ data.
As Twitter information security officer Michael Coates tweeted:
What’s more, LeakedSource said many passwords in the dataset were listed as “blank,” which is how browsers refer to a user’s password when the user doesn’t choose to store their password along with their login credentials.
In short, according to LeakedSource’s theory, whoever stole this data apparently stole it from the users’ browsers. This was most probably done with malware, and it seems to have disproportionately targeted Russians—the most common email address domain in the list is “mail.ru,” with five other Russian email providers also appearing in the top 10.
If that’s the case, the thieves probably took more than just Twitter credentials.