Twitter freezes accounts in the wake of password leak

Company requests password resets as security measure

Twitter has been freezing accounts and issuing password reset emails in the wake of a data leak that saw over 32 million passwords exposed.

The company's position was explained in an official blog post by Twitter's trust and information security officer Michael Coates, who maintained that the credentials were "not obtained from a hack of Twitter's servers".

"The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both," he said. "Regardless of origin, we're acting swiftly to protect your Twitter account."

As the company stated in its initial response to the news, it has cross-checked the leaked data from recent breaches on MySpaceLinkedIn and Tumblr, as well as the information discovered yesterday.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"As a result," Coates wrote, "a number of Twitter accounts were identified for extra protection. Accounts with direct password exposure were locked and require a password reset by the account owner."

"Your account won't be accessible until you do so," he warned, "to ensure that unauthorized individuals don't have access." Coates also reiterated the boilerplate security advice given by experts in these situations: use a strong password, enable two-factor authentication, and use a password manager.

09/06/2016: 32 million Twitter passwords go for sale on the dark web, but Twitter 'not hacked'

Twitter has denied that its systems were breached by hackers, after more than 32 million users' passwords were found for sale on the dark web.

The news comes after a rash of data breaches from sites such as MySpace, LinkedIn and Tumblr, all of which have had user credential databases leaked online by hackers.

However, while these companies were the victims of cyberattacks, Twitter was quick to stress that the company's systems "have not been breached".

Advertisement - Article continues below

"We are confident that these usernames and credentials were not obtained by a Twitter data breach," a spokesman told IT Pro.

"In fact, we've been working to help keep accounts protected by checking our data against what's been shared from recent other password leaks."

Multiple security experts have agreed with this diagnosis, after Reddit was forced to issue reset password emails to 100,000 users because of credentials leaked in the LinkedIn hack, while Netflix and Facebook took similar action.

"The person that is selling the Twitter credentials has been behind many other similar credential leaks before," F-Secure chief research officer Mikko Hypponen told IT Pro. "So, we believe the database she is selling now is real."

Advertisement
Advertisement - Article continues below

The data was provided by an individual known as 'Tessa88' to database search tool LeakedSource, which wrote in a blog post that "out of 15 users we asked, all 15 verified their passwords". Many of the affected emails are Russian.

While the database is real, security experts IT Pro spoke with agreed that it is not the result of a hack. "We do not believe it's stolen from Twitter," Hypponen said, "but from users' own systems with keyloggers."

Advertisement - Article continues below

His views have been echoed by both LeakedSource and infosec analyst Graham Cluley. 

Cluley confirmed that in the wake of this latest data leak, his advice for users is the same as it is after every breach, telling IT Pro: "If you're concerned your password may have been compromised, you should change it."

"Furthermore, you should change your passwords if you are using the same password anywhere else on the net - a sadly all too common problem," he warned.

"Finally, folks should enable two-step verification on their Twitter account - which should make it hard for accounts to be hijacked even if hackers have grabbed your password."

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/malware/33080/hackers-abuse-linkedin-dms-to-plant-malware
malware

Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

23 Dec 2019
Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/operating-systems/microsoft-windows/354526/memes-and-viking-funerals-the-internet-reacts-to-the
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020