Russian hackers sell 33 million Twitter passwords online
Published 09/06/2016 | 12:25
Usernames and passwords of almost 33 million Twitter users have been obtained by a Russian hacker and put up for sale online.
The leak, which covers a tenth of Twitter’s users, comes after several high-profile Twitter accounts including Facebook’s Mark Zuckerberg and singer Katy Perry were broken into.
Twitter denied that its own security had been breached, but said it was checking to see if accounts had been compromised by other huge password leaks.
The data for sale online may have come from hackers checking Twitter usernames against email and password combinations from security breaches at Myspace and LinkedIn.
Millions of passwords from both social networks have been put up for sale on the dark web in recent weeks that were obtained in hacks that date back to 2011. Since many people re-use passwords across the web, a trial and error approach on other social networks could result in many successful attacks.
It is believed that trying LinkedIn and Myspace passwords on Twitter accounts is how several celebrity Twitter accounts have been hacked into over the last week.
A hacking group called OurMine accessed Zuckerberg's account this week, revealing that his password had been "dadada". Rock group Tenacious D's account was breached resulting in a Jack Black death hoax, and others including Lana Del Rey and Keith Richards were affected.
A spokesman for Twitter said it is "confident" that it hasn't been hacked.
"We are confident that these usernames and credentials were not obtained by a Twitter data breach – our systems have not been breached," the company said. "In fact, we’ve been working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks."
Security blog LeakedSource said the data contained 32.9m records. The hacker is reportedly selling the data for 10 bitcoins (£4,000).
Richard Parris, head of cybersecurity company Interceded, said the incidents show that passwords are "no longer fit" for purpose.
"Passwords and usernames need to be consigned to the dusty archives of yesteryear," said Parris. "Online platforms hold masses of sensitive personal data about millions of consumers, and should not be relying on outdated password authentication."