Twitter secures accounts after user credentials sold online

10 Jun 2016

Rumours of a Twitter breach started circulating last afternoon, and security researchers cautioned users to change their passwords and enable two-factor authentication, a feature that required users to verify their identity at login with a pincode sent to a trusted device.

However, the rumours were wrong, at least in part and although millions of Twitter handles and passwords were being offered for sale on the dark web, Twitter had not suffered a breach of the kind.

According to LeakedSource, a site that posted the data, the login credentials were harvested using malware, a plausible theory supported by Twitter's own security team.

''The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both,''

Twitter trust and information security officer Michael Coates wrote in a blog post about the incident.

In a swift move, Twitter forced all users whose information was leaked, to reset their passwords yesterday.

Twitter is the latest social media company to have millions of its users' passwords dumped online, 360 million Myspace credentials and 100 million LinkedIn credentials went up for sale in May.

Twitter had not denied that at least some of the user data on the dark web was accurate, but had distanced itself from LinkedIn and Myspace, both of whom had user passwords stolen when hackers breached internal databases.

According to Twitter, computers infected with malware capable of scrubbing their owner's login details might be responsible for some of the passwords to be found online. Twitter said in a blog post, "When so many breaches are announced in a short window of time, it may be natural to assume that any mention of 'another breach' is true and valid''.

"Nefarious individuals leverage this environment in order to either bundle old breached data or repackage accounts from a variety of breaches, and then claim they have login information and passwords for website Z."