Be wary of claims that 32 million Twitter passwords are circulating online

Twitter logoThe jury is still out, but at this early stage, there's good reason to doubt the legitimacy of claims that more than 32 million Twitter passwords are circulating online.

The purported dump went live on Wednesday night on LeakedSource, a site that bills itself as a breach notification service. The post claimed that the 32.88 million Twitter credentials contain plaintext passwords and that of the 15 records LeakedSource members checked, all 15 were found to be valid. Twitter Trust and Info Security Officer Michael Coates has said his team investigated the list, and he remains "confident that our systems have not been breached."

Lending credibility to Coates's claim, Twitter has long used the bcrypt hash function to store hashes. Bcrypt hashes are so slow and computationally costly to crack that it would have required infeasible amounts of time and effort for anyone to decipher the underlying plaintext. As of press time, there were no reports of a mass reset of Twitter users' passwords, either.

Eliminating the possibility that Twitter's network has been hacked, LeakedSource speculated that tens of millions of people were infected by malware that sent every username and password saved in the victims' browser to servers under the attackers' control. This scenario is possible, but it still seems unlikely that all 32 million of the passwords in the dump are valid. For one thing, it's unlikely that anyone other than Twitter has the ability to check even a tiny fraction of such a large number. And for another, if 32 million plaintext Twitter passwords really were in the wild, the service no doubt would have mandated password changes for all affected users by now.

"I'm highly skeptical that there's a trove of 32M accounts with legitimate credentials for Twitter," Troy Hunt, a security researcher and the founder of the Have I been Pwned? breach notification service, told Ars. "The likelihood of that many records being obtained independently of a data breach and them being usable against active Twitter accounts is extremely low."

Over the past month, a cluster of megabreaches, most stemming from hacks carried out years ago, has dumped 642 million passwords into the public domain. The dumps are significant, because many users reused the same passwords on multiple other sites. But unless more details become available in the coming hours, Twitter users need not change their passwords. That said, anyone who hasn't signed up for two-factor authentication on the service should strongly consider doing so now.

Source: Ars Technica

Tags: security, Twitter

Add comment

Your name:
Sign in with:
Your comment:

Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party

Last news

And fortunately, it won’t be an iPhone X-like notch
Qualcomm Technologies has shown on the path to commercialization of 5G
It will be embracing Chromium in the development of the browser
The new OLEDs will be on display at CES 2019 in Las Vegas early next year
Quintuple-app strategy offers "a simpler and more unified communications experience"
Google's other mobile SDK is deemed ready for prime time
Google is expanding the Pixel 3’s eSIM support to a few new countries
They are teaming up to create a digital identity solution to help protect consumers across the shopping
The Samsung Galaxy A5 (2017) Review
The evolution of the successful smartphone, now with a waterproof body and USB Type-C
February 7, 2017 /
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /

News Archive



Do you use microSD card with your phone?
or leave your own version in comments (11)