Twitter has blocked some of its users’ accounts after it was revealed that the hacker responsible for the attacks on LinkedIn and Myspace is selling the log-in details of 33 million users through the dark web.
Michael Coates, chief security officer at Twitter, explained that firm has perused the leaked data and is confident that it was not a victim of the hack attack, but has still taken measures to lock the accounts of users who may have had their details compromised.
"We’ve investigated claims of Twitter @names and passwords available on the dark web, and we’re confident the information was not obtained from a hack of Twitter’s servers," he said in a blog post.
"The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both.
"In each of the recent password disclosures, we cross-checked the data with our records. As a result, a number of Twitter accounts were identified for extra protection. Accounts with direct password exposure were locked and require a password reset by the account owner."
Russian hacker 'Tessa88' was revealed to having given LeakedSource access to the Twitter records which the hacker claims to have obtained in 2015.
The database contains the email addresses and sometimes a second email, usernames and plain-text passwords of 32,888,300 Twitter users once duplicates are removed.
LeakedSource claimed that the leaked credentials are the real deal: "These credentials are real and valid. Out of 15 users we asked, all 15 verified their password.”
LeakedSource has dug into the data, which Tessa88 is selling for 10 bitcoins, around £4,000, and agrees with Coates that it is unlikely that Twitter was the victim of the hack.
"The explanation for this is that tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites, including Twitter," the company said.
"Passwords were stolen directly from consumers, therefore they are in plain text with no encryption or hashing. Remember that Twitter probably doesn't store the passwords in plain text. Chrome and Firefox did.”
LeakedSource also noted that Mark Zuckerberg, who recently had his LinkedIn, Pinterest and Twitter accounts hacked, is not included in the list of leaked credentials.
Connexin drops out of Ofcom auction due to start next week
SwiftKey users now send two billion emoji every week
Recruitment plans are 'most ambitious ever', claims Openreach HR director Kevin Brady
Samsung's under-the-hood improvements separate the S9 from the pack when it comes to the display