Be wary of claims that 32 million Twitter passwords are circulating online

Twitter logoThe jury is still out, but at this early stage, there's good reason to doubt the legitimacy of claims that more than 32 million Twitter passwords are circulating online.

The purported dump went live on Wednesday night on LeakedSource, a site that bills itself as a breach notification service. The post claimed that the 32.88 million Twitter credentials contain plaintext passwords and that of the 15 records LeakedSource members checked, all 15 were found to be valid. Twitter Trust and Info Security Officer Michael Coates has said his team investigated the list, and he remains "confident that our systems have not been breached."

Lending credibility to Coates's claim, Twitter has long used the bcrypt hash function to store hashes. Bcrypt hashes are so slow and computationally costly to crack that it would have required infeasible amounts of time and effort for anyone to decipher the underlying plaintext. As of press time, there were no reports of a mass reset of Twitter users' passwords, either.

Eliminating the possibility that Twitter's network has been hacked, LeakedSource speculated that tens of millions of people were infected by malware that sent every username and password saved in the victims' browser to servers under the attackers' control. This scenario is possible, but it still seems unlikely that all 32 million of the passwords in the dump are valid. For one thing, it's unlikely that anyone other than Twitter has the ability to check even a tiny fraction of such a large number. And for another, if 32 million plaintext Twitter passwords really were in the wild, the service no doubt would have mandated password changes for all affected users by now.

"I'm highly skeptical that there's a trove of 32M accounts with legitimate credentials for Twitter," Troy Hunt, a security researcher and the founder of the Have I been Pwned? breach notification service, told Ars. "The likelihood of that many records being obtained independently of a data breach and them being usable against active Twitter accounts is extremely low."

Over the past month, a cluster of megabreaches, most stemming from hacks carried out years ago, has dumped 642 million passwords into the public domain. The dumps are significant, because many users reused the same passwords on multiple other sites. But unless more details become available in the coming hours, Twitter users need not change their passwords. That said, anyone who hasn't signed up for two-factor authentication on the service should strongly consider doing so now.

Source: Ars Technica

Tags: security, Twitter

Add comment

Your name:
Sign in with:
Your comment:

Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party

Last news

Pokemon GO had the potential to net $1 billion a year
The report said that Hon Hai has invested about US$600 million in India
Market research firm IDC reports that in the third quarter of this year
Customers will only have to shell out 50% of the cost of their Galaxy S7 device
New flagship will launch in 2017
Patent hints at name of the upcoming Surface AIO
IBM, Globalfoundries and Samsung have chosen to use extreme ultraviolet (EUV) light to pattern transistors
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /
HP Slate 7 is a 7-inch Android 4 Tablet PC with good sound
A cost-effective, 7-inch tablet PC from a renowned manufacturer
October 25, 2013 / 4

News Archive



Do you use microSD card with your phone?
or leave your own version in comments