More than 32 million Twitter accounts may have been hacked

Advertisement

More than 32 million records of Twitter account usernames, passwords, and email addresses have been obtained by the website LeakedSource, a paid repository for data breaches.

Advertisement

A hacker going by Tessa88 gave the dataset to the site, which contained a number of passwords in plaintext. The site said in a blog post it doesn't appear that Twitter itself was breached, but instead, individual users were likely infected with malware that stole their usernames and passwords for websites and sent them back to the hacker.

"While the credentials themselves appear to be real, the details provided by LeakedSource indicate that the usernames and passwords are sourced from end users rather than from Twitter itself," Tod Beardsley, Security Research Manager at Rapid7, told Tech Insider in a statement. "Specifically, it appears that the credentials were harvested from individual browsers password stores, which is troubling."

Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More

Twitter's Trust and Information Security Officer Michael Coates said in a tweet that they investigated and were "confident that our systems have not been breached." A Twitter spokesperson told Tech Insider: "Our systems have not been breached. In fact, we've been working to help keep accounts protected by checking our data against what's been shared from recent other password leaks."

The hacker apparently targeted mostly Russian users, with the top email addresses coming from Russia-based email services. "Tessa88" was also the source of recent data dumps from MySpace and the Russian social networking site VK.

Advertisement

"We often recommend people save their passwords off in dedicated password management systems such as KeePass, 1Password, or LastPass. It's just too easy for malware to pick up credentials stored in the default browser password stores as these databases usually lack appropriate access controls," Beardsley added.

NOW WATCH: How to tell if your Facebook has been hacked