James Thew - Fotolia

Twitter forces password resets for accounts vulnerable to hackers

Twitter cross-checks leaked user data with its records, identifying and locking a number of accounts for extra protection

Twitter is forcing millions of users to reset their passwords after reports that the login credentials for nearly 33 million Twitter accounts were being traded on the dark web.

The leak was reported by stolen credential repository LeakedSource, which said Twitter was not hacked, but that the credentials were stolen using malware on users’ computers.

According to Twitter, the credentials may also have been amassed through the collection of information from other recent breaches, or a combination of both.

“The recent prevalence of data breaches from other websites is challenging for all websites – not just those breached,” Twitter said in a blog post.

“Attackers mine the exposed username, email and password data, leverage automation, and then attempt to automatically test this login data and passwords against all top websites,” the firm said.

LeakedSource said it had obtained the Twitter user data from a source using the alias [email protected], but it is not known if this alias refers to a group or an individual.

Regardless of origin, Twitter said it had cross-checked the data from LeakedSource with its records and identified “a number of Twitter accounts” for extra protection.

“Accounts with direct password exposure were locked and require a password reset by the account owner,” Twitter said in a blog post.

Twitter has declined to specify how many users it had notified, but told the Wall Street Journal that the total was “in the millions”.

Passwords don’t pass muster

Once again the leaked data highlights the weakness of password-based security exacerbated by poor password practices, such as people repeatedly using the same password for multiple accounts or weak passwords.

According to LeakedSource, the most-frequently used password in the Twitter user data it obtained was “123456”, which was listed for more than 120,000 accounts.

Read more about password security

The next most-frequently used passwords were “123456789”, “qwerty” and “password”.

The standard advice around passwords is to use strong, unique, non-dictionary passwords for all online accounts, enable two-factor authentication if available, and used a password manager.

Twitter is among the growing number of online services to offer two-factor authentication (2FA) or login verification as an extra layer of security.

Instead of only entering a password to log in, Twitter users can opt to also enter a code which is sent via text message to their mobile phone.

Although using browsers to locally store passwords may be convenient, it is very insecure, said Joe Siegrist, chief executive of password manager LastPass.

“When malware is at play, that very convenience is what prevents this option from being as secure and robust as it should be,” he said.

In contrast, Siegrist said, a dedicated password manager browser extension encrypts all user information using AES 256-bit encryption.

Malware hunts passwords

Tod Beardsley, security research manager at security firm Rapid7 said it appears the credentials were harvested from individual browsers’ password stores, which is troubling.

“We often recommend people save their passwords in dedicated password management systems such as KeePass, 1Password, or LastPass.

“It’s just too easy for malware to pick up credentials stored in the default browser password stores as these databases usually lack appropriate access controls,” he said.

Online services are also increasingly taking steps to ensure users’ passwords are unique by searching leaked credentials for any matches and notifying users if any match is found.

Netflix recently took the pre-emptive step of asking users whose credentials were found among recently released data from old breaches at Linkedin, Tumblr and MySpace to reset their passwords.

“Some Netflix members have received emails encouraging them to change their account passwords as a precautionary measure due to the recent disclosure of additional credentials from an older breach at another internet company,” Netflix said in a statement released to KrebsOnSecurity.

Read more on Privacy and data protection