Twitter announced today that it is requiring several million of the 32 million accounts with @names and passwords reportedly available for sale on the dark to reset their passwords after an internal security review. But the company did clarify that the leak did not appear to be the result of a breach into Twitter’s own networks and likely came from vulnerabilities related to the user themselves.
“The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both,” Twitter wrote in a statement.
With recent reports of massive breaches at LinkedIn and Myspace revealing the names and passwords of millions of users, it hardly seemed impossible that the 32 million accounts reportedly circulating the dark web came from Twitter. But, remarkably, the Twitter accounts appear to have been jeopardized by people reusing passwords leaked from other accounts. Even Facebook’s Mark Zuckerberg admitted that the hackers who took over his Twitter account simply repurposed a password leaked from LinkedIn in 2012. That password was “dadada.”
“We have investigated reports of Twitter usernames/passwords on the dark web, and we’re confident that our systems have not been breached,” announced Michael Coates, Twitter’s Trust & Info Security Officer.
In its statement on the leak, Twitter reassured its users that its network had not been breached, but also tried to caution against taking every report of a leak too seriously.
“When so many breaches are announced in a short window of time, it may be natural to assume that any mention of “another breach” is true and valid,” Twitter wrote. “Nefarious individuals leverage this environment in order to either bundle old breached data or repackage accounts from a variety of breaches, and then claim they have login information and passwords for website Z.”
Nonetheless, the company also took the opportunity to encourage its users to upgrade their security by setting up a two-factor authentication or investing in a password manager.
As for those were definitely affected by the most recent discovery of account information, Twitter will have already notified you.
“If your Twitter information was impacted by any of the recent issues – because of password disclosures from other companies or the leak on the “dark web” – then you have already received an email that your account password must be reset,” Twitter wrote.
It seems like Twitter is on top of this most recent problem. It is always easier to deal with a problem that you didn’t even cause.