James Thew - Fotolia

Twitter forces password resets for accounts vulnerable to hackers

Twitter cross-checks leaked user data with its records, identifying and locking a number of accounts for extra protection

Twitter is forcing millions of users to reset their passwords after reports that the login credentials for nearly 33 million Twitter accounts were being traded on the dark web.

The leak was reported by stolen credential repository LeakedSource, which said Twitter was not hacked, but that the credentials were stolen using malware on users’ computers.

According to Twitter, the credentials may also have been amassed through the collection of information from other recent breaches, or a combination of both.

“The recent prevalence of data breaches from other websites is challenging for all websites – not just those breached,” Twitter said in a blog post.

“Attackers mine the exposed username, email and password data, leverage automation, and then attempt to automatically test this login data and passwords against all top websites,” the firm said.

LeakedSource said it had obtained the Twitter user data from a source using the alias Tessa88@exploit.im, but it is not known if this alias refers to a group or an individual.

Regardless of origin, Twitter said it had cross-checked the data from LeakedSource with its records and identified “a number of Twitter accounts” for extra protection.

“Accounts with direct password exposure were locked and require a password reset by the account owner,” Twitter said in a blog post.

Twitter has declined to specify how many users it had notified, but told the Wall Street Journal that the total was “in the millions”.

Passwords don’t pass muster

Once again the leaked data highlights the weakness of password-based security exacerbated by poor password practices, such as people repeatedly using the same password for multiple accounts or weak passwords.

According to LeakedSource, the most-frequently used password in the Twitter user data it obtained was “123456”, which was listed for more than 120,000 accounts.

Read more about password security

The next most-frequently used passwords were “123456789”, “qwerty” and “password”.

The standard advice around passwords is to use strong, unique, non-dictionary passwords for all online accounts, enable two-factor authentication if available, and used a password manager.

Twitter is among the growing number of online services to offer two-factor authentication (2FA) or login verification as an extra layer of security.

Instead of only entering a password to log in, Twitter users can opt to also enter a code which is sent via text message to their mobile phone.

Although using browsers to locally store passwords may be convenient, it is very insecure, said Joe Siegrist, chief executive of password manager LastPass.

“When malware is at play, that very convenience is what prevents this option from being as secure and robust as it should be,” he said.

In contrast, Siegrist said, a dedicated password manager browser extension encrypts all user information using AES 256-bit encryption.

Malware hunts passwords

Tod Beardsley, security research manager at security firm Rapid7 said it appears the credentials were harvested from individual browsers’ password stores, which is troubling.

“We often recommend people save their passwords in dedicated password management systems such as KeePass, 1Password, or LastPass.

“It’s just too easy for malware to pick up credentials stored in the default browser password stores as these databases usually lack appropriate access controls,” he said.

Online services are also increasingly taking steps to ensure users’ passwords are unique by searching leaked credentials for any matches and notifying users if any match is found.

Netflix recently took the pre-emptive step of asking users whose credentials were found among recently released data from old breaches at Linkedin, Tumblr and MySpace to reset their passwords.

“Some Netflix members have received emails encouraging them to change their account passwords as a precautionary measure due to the recent disclosure of additional credentials from an older breach at another internet company,” Netflix said in a statement released to KrebsOnSecurity.

Read more on Privacy and data protection

Join the conversation

4 comments

Send me notifications when other members comment.

Please create a username to comment.

Nice to see that this corporation can see the problem and is implementing a quick fix. Except, as we all know, "quick" and "fix" don't always play well together. And while any help is appreciated, forcing users to change their password from 12345 to P@SsW0Rd won't do much good. We need a real, actual fix (whatever that may be), not another Whack-a-Mole quickie patch.
Cancel
Considering how many apps access your Twitter through API I'd appreciate an option to review and block the access. Similar to what is offered with gmail account control.
Cancel
That would be great if we could get a pop-up like Zone Alarm's PC  firewall application letting us know something is asking for access. I am always reject apps that ask for permissions to things that have nothing to do with the app... Come on people read what it's asking for before clicking accept.

Cancel
As for passwords I use an algorithm that uses 4 special chars, 4 numbers and 4 mixed case letters... That should be secure enough. Yet I have got messages from e-mail accounts to change my password to something more secure.. Really ? what next a drop of blood for DNA verification ?
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close