Twitter denies stolen account passwords came from its servers and issues security advice
In recent days the internet has been abuzz with news that credentials for millions of Twitter accounts have been put up for sale on the Dark Web. Despite the online chatter about what many people assumed to be a security breach, Twitter chose to remain silent. Now the company has spoken out after an investigation and denies that the password leak was the result of Twitter being hacked.
Dismissively referring to the "purported Twitter @names and passwords", the company says that the leak is probably a combination of data gathered from previous breaches as well as credentials gathered by malware. Twitter has identified a number of accounts directly affected by the leak and has reset the passwords to protect the owners.
Leaked Source, which broke the news of the availability of the password, agrees that Twitter was probably not hacked. It says: "We have very strong evidence that Twitter was not hacked, rather the consumer was. These credentials however are real and valid. Out of 15 users we asked, all 15 verified their passwords".
Michael Coates, Twitter's Trust and Information Security Officer said that an investigation had been carried out and Twitter's own security had been given a clean bill of health:
We have investigated reports of Twitter usernames/passwords on the dark web, and we're confident that our systems have not been breached.
— Michael Coates ஃ (@_mwc) June 9, 2016
In a blog post, Coates today goes on to give security advice to Twitter users and explains that account credentials are always secured using bcrypt. The fact that the database of leaked passwords was in plaintext format implies that another source -- such as the suggested malware -- is the root of the data exposure. So do you need to worry? Twitter says no. If your account security has been compromised, you will already have been contacted by the site and informed that your account has been locked down until you reset the password.
Twitter offers up the following tips to ensure ongoing account security:
- Enable login verification (e.g. two factor authentication). This is the single best action you can take to increase your account security.
- Use a strong password that you don’t reuse on other websites.
- Use a password manager such as 1Password or LastPass to make sure you’re using strong, unique passwords everywhere.