In the wake of a number of 'mega breaches' at social media platforms, including Myspace, Tumblr and LinkedIn, it appears that Twitter users could be the latest victims of hacking as over 32 million credentials have reportedly surfaced online.
Breach notification website LeakedSource obtained and uploaded a copy of the data to its searchable databases and it claims each compromised record – 32,888,300 in total – contains an email address, username, sometimes a second email and a clear-text password. Twitter, so far, has maintained it has not been breached.
In a statement to TechCrunch, a Twitter spokesperson said: "We are confident that these usernames and credentials were not obtained by a Twitter data breach – our systems have not been breached. In fact, we've been working to help keep accounts protected by checking our data against what's been shared from recent other password leak."
In any case, LeakedSource states that, breach or not, the legitimacy of the credentials checks out after verifying the credentials with 15 impacted users.
Stolen with malware
Interestingly, it reveals the data was likely collected directly from users due to "malware infecting browsers" rather than directly from Twitter. Based on its email analysis, most of the impacted users appear to be located in Russia.
"Passwords were stolen directly from consumers, therefore they are in plaintext with no encryption or hashing. Remember that Twitter probably doesn't store the passwords in plaintext, Chrome and Firefox did," said LeakedSource.
"The join dates of some users with uncrackable (yet plaintext) passwords were recent. There is no way that Twitter stores passwords in plaintext in 2014 for example. The top email domains don't match up to a full database leak, more likely the malware was spread to Russians."
Like previous breaches, analysis indicates the passwords were shockingly weak. These include '123456' (120,417), 'qwerty' (22,770) and 'password' (17,417).
LeakedSource said the dataset was provided by a user under the pseudonym 'Tessa88' which is the same alias used in the recent leak of data from Russian social network VK, which as previously reported, resulted in the loss of roughly 100m user accounts.
Meanwhile, security experts have warned a traditional 'hack' did not take place. Michael Coates, Twitter's trust and information security officer denied the platform was hacked in any way.
"We have investigated reports of Twitter usernames/passwords on the dark web, and we're confident that our systems have not been breached. We securely store all passwords with bcrypt. We are working with LeakedSource to obtain this info [and] take additional steps to protect users."
The news comes as a Twitter-based hacking spree hit a number of public figures and celebrities – including rock band Tenacious D, the rapper Drake, TV personality Kylie Jenner and even Facebook CEO Mark Zuckerberg.
Amid the upswing in targeted hacks, a Twitter spokesperson said: "A number of other online services have seen millions of passwords stolen in the past several weeks. We recommend people use a unique, strong password for Twitter. We detail other steps people can take to keep their accounts secure on our help centre."
LeakedSource added: "The lesson here? It's not just companies that can be hacked, users need to be careful too."