Be wary of claims that 32 million Twitter passwords are circulating online

Twitter logoThe jury is still out, but at this early stage, there's good reason to doubt the legitimacy of claims that more than 32 million Twitter passwords are circulating online.

The purported dump went live on Wednesday night on LeakedSource, a site that bills itself as a breach notification service. The post claimed that the 32.88 million Twitter credentials contain plaintext passwords and that of the 15 records LeakedSource members checked, all 15 were found to be valid. Twitter Trust and Info Security Officer Michael Coates has said his team investigated the list, and he remains "confident that our systems have not been breached."

Lending credibility to Coates's claim, Twitter has long used the bcrypt hash function to store hashes. Bcrypt hashes are so slow and computationally costly to crack that it would have required infeasible amounts of time and effort for anyone to decipher the underlying plaintext. As of press time, there were no reports of a mass reset of Twitter users' passwords, either.

Eliminating the possibility that Twitter's network has been hacked, LeakedSource speculated that tens of millions of people were infected by malware that sent every username and password saved in the victims' browser to servers under the attackers' control. This scenario is possible, but it still seems unlikely that all 32 million of the passwords in the dump are valid. For one thing, it's unlikely that anyone other than Twitter has the ability to check even a tiny fraction of such a large number. And for another, if 32 million plaintext Twitter passwords really were in the wild, the service no doubt would have mandated password changes for all affected users by now.

"I'm highly skeptical that there's a trove of 32M accounts with legitimate credentials for Twitter," Troy Hunt, a security researcher and the founder of the Have I been Pwned? breach notification service, told Ars. "The likelihood of that many records being obtained independently of a data breach and them being usable against active Twitter accounts is extremely low."

Over the past month, a cluster of megabreaches, most stemming from hacks carried out years ago, has dumped 642 million passwords into the public domain. The dumps are significant, because many users reused the same passwords on multiple other sites. But unless more details become available in the coming hours, Twitter users need not change their passwords. That said, anyone who hasn't signed up for two-factor authentication on the service should strongly consider doing so now.

Source: Ars Technica

Tags: security, Twitter

Comments
Add comment

Your name:
Sign in with:
or
Your comment:


Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party


Last news

 
Consumer group recommends iPhone 8 over anniversary model
 
LTE connections wherever you go and instant waking should come to regular PCs, too
 
That fiction is slowly becoming a reality
 
The Snapdragon 845 octa-core SoC includes the Snapdragon X20 LTE modem
 
Human moderators can help make YouTube a safer place for everyone
 
Google says Progressive Web Apps are the future of app-like webpages
 
All 2018 models to sport the 'notch'
 
The biggest exchange in South Korea, where the BTC/KRW pair is at $14,700 now
The Samsung Galaxy A5 (2017) Review
The evolution of the successful smartphone, now with a waterproof body and USB Type-C
February 7, 2017 /
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /
 
 

News Archive

 
 
SuMoTuWeThFrSa
     12
3456789
10111213141516
17181920212223
24252627282930
31      




Poll

Do you use microSD card with your phone?
or leave your own version in comments (4)