Twitter has sent notices to millions of users to reset their passwords after it came to light that usernames and passwords were leaked onto the "dark web," where cyber-criminals deal in the pilfered personal and financial information of online consumers.
However, the micro-blogging titan says the leak was not a result of its servers being hacked. Instead, the company suggested in a blog post that the situation could be "collateral damage" from breaches of other websites, and from users who are unwitting victims of malware.
Twitter stated in its blog post:
The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both. Regardless of origin, we're acting swiftly to protect your Twitter account.
According to a Wall Street Journal report, the leak affects nearly 33 million users, but Twitter has not publicized the number of those affected.
Morey Haber, vice president of technology at BeyondTrust, told InformationWeek in an interview: "The Twitter exposure of 32 million records did not come from Twitter themselves. The media has been covering attacks against browsers like Internet Explorer, Edge, Chrome, and Firefox for years. Add on solutions like Adobe Flash and Oracle Java have been a favorite for malware and the [Wall Street Journal] article suggests that through attacks against consumer software, credentials for Twitter and other services have been scraped from users browser and transmitted to the internet."
Haber added that users recycling the same passwords on multiple sites increases the risk of exposing accounts exponentially. "All it takes is a little programming to join different databases of hacked information, regardless of the technique it was obtained, to build the correlation."
Twitter made the same point in its blog:
The recent prevalence of data breaches from other websites is challenging for all websites -- not just those breached. Attackers mine the exposed username, email and password data, leverage automation, and then attempt to automatically test this login data and passwords against all top websites. If a person used the same username and password on multiple sites then attackers could, in some situations, automatically take over their account. That's why a breach of passwords associated with website X could result in compromised accounts at unrelated website Y.
With Twitter's password leak, as well as high-profile hacks on LinkedIn and MySpace, users should be on high-alert for any unauthorized access attempts on their various online accounts and subscriptions. Users should also be cautious when receiving account warning notices from their service providers.
[See 10 Stupid Moves That Threaten Your Company's Security.]
"Users should definitely not ignore the emails, but they also must be very cautious that the email they are receiving itself is legitimate," Haber warned. "It is very possible (for cyber thieves) to have a new phishing campaign to request password changes on these sites, but they actually collect your passwords via phishing attack."
A phishing attack is designed to dupe the user into unwittingly clicking on a malicious link or revealing personal information to a cyber thief posing as trusted or legitimate person, like a family member, friend, or business.
"If you believe the (warning) email is questionable, or even certain it is correct, never click on the link in the email itself. Go to the web service itself and change the password there. This minimizes the risk the email has been compromised or is a part of another phishing attack," Haber said.