Be wary of claims that 32 million Twitter passwords are circulating online

Twitter logoThe jury is still out, but at this early stage, there's good reason to doubt the legitimacy of claims that more than 32 million Twitter passwords are circulating online.

The purported dump went live on Wednesday night on LeakedSource, a site that bills itself as a breach notification service. The post claimed that the 32.88 million Twitter credentials contain plaintext passwords and that of the 15 records LeakedSource members checked, all 15 were found to be valid. Twitter Trust and Info Security Officer Michael Coates has said his team investigated the list, and he remains "confident that our systems have not been breached."

Lending credibility to Coates's claim, Twitter has long used the bcrypt hash function to store hashes. Bcrypt hashes are so slow and computationally costly to crack that it would have required infeasible amounts of time and effort for anyone to decipher the underlying plaintext. As of press time, there were no reports of a mass reset of Twitter users' passwords, either.

Eliminating the possibility that Twitter's network has been hacked, LeakedSource speculated that tens of millions of people were infected by malware that sent every username and password saved in the victims' browser to servers under the attackers' control. This scenario is possible, but it still seems unlikely that all 32 million of the passwords in the dump are valid. For one thing, it's unlikely that anyone other than Twitter has the ability to check even a tiny fraction of such a large number. And for another, if 32 million plaintext Twitter passwords really were in the wild, the service no doubt would have mandated password changes for all affected users by now.

"I'm highly skeptical that there's a trove of 32M accounts with legitimate credentials for Twitter," Troy Hunt, a security researcher and the founder of the Have I been Pwned? breach notification service, told Ars. "The likelihood of that many records being obtained independently of a data breach and them being usable against active Twitter accounts is extremely low."

Over the past month, a cluster of megabreaches, most stemming from hacks carried out years ago, has dumped 642 million passwords into the public domain. The dumps are significant, because many users reused the same passwords on multiple other sites. But unless more details become available in the coming hours, Twitter users need not change their passwords. That said, anyone who hasn't signed up for two-factor authentication on the service should strongly consider doing so now.

Source: Ars Technica

Tags: security, Twitter

Add comment

Your name:
Sign in with:
Your comment:

Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party

Last news

Galaxy Note10 really is built around a 6.7-inch display
You may still be able to download your content
Facebook, Messenger and Instagram are all going away
Minimize apps to a floating, always-on-top bubble
Japan Display has been providing LCDs for the iPhone XR, the only LCD model in Apple’s 2018 line-up
The 2001 operating system has reached its lowest share level
The entire TSMC 5nm design infrastructure is available now from TSMC
The smartphone uses a Snapdragon 660 processor running Android 9 Pie
The Samsung Galaxy A5 (2017) Review
The evolution of the successful smartphone, now with a waterproof body and USB Type-C
February 7, 2017 / 2
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /

News Archive



Do you use microSD card with your phone?
or leave your own version in comments (15)