Twitter Password Leak: Users, Hacks Of Other Sites To Blame? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership // Security & Risk Strategy

Twitter Password Leak: Users, Hacks Of Other Sites To Blame?

Nearly 33 million Twitter usernames and passwords have been reportedly made public, but the micro-blogging site says its servers were not hacked. Then how did it happen?

Security Threats Hiding In Plain Sight
Security Threats Hiding In Plain Sight
(Click image for larger view and slideshow.)

Twitter has sent notices to millions of users to reset their passwords after it came to light that usernames and passwords were leaked onto the "dark web," where cyber-criminals deal in the pilfered personal and financial information of online consumers.

However, the micro-blogging titan says the leak was not a result of its servers being hacked. Instead, the company suggested in a blog post that the situation could be "collateral damage" from breaches of other websites, and from users who are unwitting victims of malware.

Twitter stated in its blog post:

The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both. Regardless of origin, we're acting swiftly to protect your Twitter account.

According to a Wall Street Journal report, the leak affects nearly 33 million users, but Twitter has not publicized the number of those affected.

(Image: German/iStockphoto)

(Image: German/iStockphoto)

Morey Haber, vice president of technology at BeyondTrust, told InformationWeek in an interview: "The Twitter exposure of 32 million records did not come from Twitter themselves. The media has been covering attacks against browsers like Internet Explorer, Edge, Chrome, and Firefox for years. Add on solutions like Adobe Flash and Oracle Java have been a favorite for malware and the [Wall Street Journal] article suggests that through attacks against consumer software, credentials for Twitter and other services have been scraped from users browser and transmitted to the internet."

Haber added that users recycling the same passwords on multiple sites increases the risk of exposing accounts exponentially. "All it takes is a little programming to join different databases of hacked information, regardless of the technique it was obtained, to build the correlation."

Twitter made the same point in its blog:

The recent prevalence of data breaches from other websites is challenging for all websites -- not just those breached. Attackers mine the exposed username, email and password data, leverage automation, and then attempt to automatically test this login data and passwords against all top websites. If a person used the same username and password on multiple sites then attackers could, in some situations, automatically take over their account. That's why a breach of passwords associated with website X could result in compromised accounts at unrelated website Y.

With Twitter's password leak, as well as high-profile hacks on LinkedIn and MySpace, users should be on high-alert for any unauthorized access attempts on their various online accounts and subscriptions. Users should also be cautious when receiving account warning notices from their service providers.

[See 10 Stupid Moves That Threaten Your Company's Security.]

"Users should definitely not ignore the emails, but they also must be very cautious that the email they are receiving itself is legitimate," Haber warned. "It is very possible (for cyber thieves) to have a new phishing campaign to request password changes on these sites, but they actually collect your passwords via phishing attack."

A phishing attack is designed to dupe the user into unwittingly clicking on a malicious link or revealing personal information to a cyber thief posing as trusted or legitimate person, like a family member, friend, or business.

"If you believe the (warning) email is questionable, or even certain it is correct, never click on the link in the email itself. Go to the web service itself and change the password there. This minimizes the risk the email has been compromised or is a part of another phishing attack," Haber said.

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
vnewman2
50%
50%
vnewman2,
User Rank: Ninja
6/13/2016 | 1:26:54 PM
Re: Not surprised
It could also be that they really did get hacked and the folks they hired aren't able to assess how it happened = there was no hack.  It may come out in the future when they are finally able to find the source.  I've heard this happen to several companies before. 
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
6/13/2016 | 7:44:47 AM
Not surprised
Although it does seem like buck-passing on the part of Twitter, I wouldn't be surprised if another site was the cause of the account hackings, it's far more common than people like to let on with password reuse and they are often so simple it's laughable.

Password security has been known about for decades and yet it's still so rarely practiced.
RandyDowns
50%
50%
RandyDowns,
User Rank: Apprentice
6/11/2016 | 4:02:48 PM
Hack Denial
It's always easy to blame other sites and surely the other hacks lead to compromised credentials. However, it seems like Twitter is but too aggressive in denying the hack.
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
Commentary
If DevOps Is So Awesome, Why Is Your Initiative Failing?
Guest Commentary, Guest Commentary,  12/2/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll