Sophos Cloud Optix
A hacker who reportedly has ties to the recent MySpace, LinkedIn and Tumblr data breaches is claiming to have another huge set of scalped logins: this time, for Twitter accounts.
According to ZDNet, it’s a Russian seller who goes by the name of Tessa88.
In an encrypted chat with ZDNet on Tuesday, the seller claimed to have gotten a database that contains email addresses (sometimes two per person), usernames, and plaintext passwords – i.e. passwords that hadn’t been encrypted or hashed.
As of Thursday, Tessa88 was selling the dataset for 10 bitcoins, or about $5,820.
Twitter says it wasn’t breached. From a statement it sent to Tech Crunch:
We are confident that these usernames and credentials were not obtained by a Twitter data breach – our systems have not been breached.
In fact, we’ve been working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks.
LeakedSource, a search engine of over 1.8 billion leaked records, said on Wednesday that it, too, had been contacted by Tessa88.
Tessa88 is the same alias used by whoever contacted LeakedSource over the weekend with a different leak: they shared a copy of a dataset containing 100,544,934 leaked records of users of VK.com, a social networking site that’s Russia’s version of Facebook.
According to LeakedSource, the Twitter dataset contains 32,888,300 records. Each record may contain an email address, a username, sometimes a second email and an unencrypted text password.
Twitter said in a blog post that its reset some users’ passwords.
The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both. Regardless of origin, we’re acting swiftly to protect your Twitter account.
In each of the recent password disclosures, we cross-checked the data with our records. As a result, a number of Twitter accounts were identified for extra protection. Accounts with direct password exposure were locked and require a password reset by the account owner.
If your Twitter information was impacted … then you have already received an email that your account password must be reset. Your account won’t be accessible until you do so, to ensure that unauthorized individuals don’t have access.
Twitter offered all users this advice for keeping their account safe:
- Enable login verification (e.g. two factor authentication).
- Use a strong password that you don’t reuse on other websites.
- Use a password manager to make sure you’re using strong, unique passwords everywhere.
And, in case you were concerned about Mark Zuckerberg’s Twitter account, no worries: his account isn’t showing up in this dataset. LeakedSource triple checked!
Well, that’s a relief. Getting the Zuck account hijacked twice in one week would be adding salt to the wound!
Mine is good, likely due to a reminder I previously read on Naked Security to enable 2FA
woot
Props and thanks to Lisa, Duck, Mark, John, and all the other great NS mentors we routinely enjoy
woot indeed!
Twitter (and Sophos) should also recommend that users pick a unique password for each account. That way, if one vendor is hacked, the leaked credentials won’t work on other accounts.
We did recommend just that:
“Use a strong password that you don’t reuse on other websites.”
You’ll also find this advice in the video that we linked to in the article:
https://nakedsecurity.sophos.com/2014/10/01/how-to-pick-a-proper-password/
Lisa, Paul, am I reading this statement from twitter wrong?
“If your Twitter information was impacted … then you have already received an email that your account password must be reset.” (and) “Your account won’t be accessible until you do so, to ensure that unauthorized individuals don’t have access.”
The two above statements seem mutually exclusive, and they are. If your account is inaccessible until you reset your password, how can you possibly reset it?
Moving forward, the two halves of the second sentence are also mutually exclusive, observe:
“Your account won’t be accessible until you do so, to ensure that unauthorized individuals don’t have access.”
Of course, we have to ignore my previous conclusions just to ponder these points:
1) It has to be assumed anyone receiving this email is part of the 38 million known victims.
2) The hackers had access to their email accounts before this story ever got out.
3) The hackers could have easily had a cheap Filipino “brute force” internet crew change all 38 million email and/or twitter passwords, to make the accounts more valuable as a commodity.
4) Ergo there cannot be any “assurance that unauthorized individuals don’t have access.”, even if an unknown person logs in and changes the twitter password.
Of course for these and several other reasons I find it hard to believe Twitter’s story. Your thoughts guys?
I’m not sure, because I didn’t receive an email from Twitter 🙂
I assume that the “reset” process involves extra steps over and above simply typing in the old password, such as answering a security question or typing in a one-time code sent by SMS or email. This greatly reduces the chance that a crook who has *only* your password could successfully complete the reset process and thus take over your account altogether.
I find it hard *not* to accept Twitter’s story, though personally I might not have said that the forced-reset process would “ensure” no one else got access to your account. (If the passwords were acquired some time ago via password-stealing malware, for example, who knows what other handy personal information the malware might have got at the same time?)
I don’t think Twitter suffered a breach, and I am happy to accept the company’s suggestion that these passwords (not all of which seem to be correct) were acquired in some other way than via Twitter’s own authentication database.
We need to be very careful of letting the crooks “inform” our opinion about cybersecurity at the world’s big web properties, as we argued here:
https://nakedsecurity.sophos.com/2016/05/05/more-than-250-million-email-accounts-breached-maybe/
Just curious, why did my previous lengthy posted comment not appear as waiting for moderation? I’s never happened before.
I presume the comment you’re talking about is the one above addressed to Lisa and Paul? All I can tell you is that moderation rules apply to all of our users, including our authors, and that your comment did indeed go in to moderation. The fact that the site didn’t say so may have been a transient fault but so far we’re not able to reproduce it.
That aside, thanks again for your regular and continued contributions to our discussions.