According to ZDNet, it’s a Russian seller who goes by the name of Tessa88.
In an encrypted chat with ZDNet on Tuesday, the seller claimed to have gotten a database that contains email addresses (sometimes two per person), usernames, and plaintext passwords – i.e. passwords that hadn’t been encrypted or hashed.
As of Thursday, Tessa88 was selling the dataset for 10 bitcoins, or about $5,820.
Twitter says it wasn’t breached. From a statement it sent to Tech Crunch:
We are confident that these usernames and credentials were not obtained by a Twitter data breach – our systems have not been breached.
In fact, we’ve been working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks.
LeakedSource, a search engine of over 1.8 billion leaked records, said on Wednesday that it, too, had been contacted by Tessa88.
Tessa88 is the same alias used by whoever contacted LeakedSource over the weekend with a different leak: they shared a copy of a dataset containing 100,544,934 leaked records of users of VK.com, a social networking site that’s Russia’s version of Facebook.
According to LeakedSource, the Twitter dataset contains 32,888,300 records. Each record may contain an email address, a username, sometimes a second email and an unencrypted text password.
Twitter said in a blog post that its reset some users’ passwords.
The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both. Regardless of origin, we’re acting swiftly to protect your Twitter account.
In each of the recent password disclosures, we cross-checked the data with our records. As a result, a number of Twitter accounts were identified for extra protection. Accounts with direct password exposure were locked and require a password reset by the account owner.
If your Twitter information was impacted … then you have already received an email that your account password must be reset. Your account won’t be accessible until you do so, to ensure that unauthorized individuals don’t have access.
Twitter offered all users this advice for keeping their account safe:
- Enable login verification (e.g. two factor authentication).
- Use a strong password that you don’t reuse on other websites.
- Use a password manager to make sure you’re using strong, unique passwords everywhere.
And, in case you were concerned about Mark Zuckerberg’s Twitter account, no worries: his account isn’t showing up in this dataset. LeakedSource triple checked!
Well, that’s a relief. Getting the Zuck account hijacked twice in one week would be adding salt to the wound!