In what sounds like the perfect material for an internet meme, Twitter started filling with rumors about a security breach yesterday afternoon.
As a result, digital experts urged users to modify their passwords and implement two-factor authentication. The latter is a way for users to log in using a pincode they receive on a secure device such as their smartphone.
However, it looks like rumors pertaining to the 32 million Twitter passwords being traded on the dark web were less than accurate. The good news is that, in spite of a huge number of Twitter user names and passwords being on sale in the dark underbelly of the internet, Twitter was not breached.
According to LeakedSource, a webpage that published the data, the login information was gathered via malware. Twitter's proprietary security team backs the story.
"The purported Twitter @names and passwords [was] amassed combining information from recent breaches and malware on victim machines," says Michael Coates of Twitter in a blog post.
Twitter reacted swiftly and made sure that all users whose accounts were compromised modified their passwords as soon as possible.
The social media company is not the first big name to see the data of millions of its users' opened up and made visible on the internet. In May 2016 alone, about 117 million LinkedIn accounts and 360 million MySpace credentials were up for grabs.
Coates notes that Twitter constantly examines the data extracted from other sites and cross-checks it with Twitter's own records, so that vulnerable users get notified on the spot. Coates explains that attackers use the leaked names, emails and passwords across "top websites," in the hope that users are lazy enough that they are using the same credentials over multiple platforms.
"Twitter protects access to accounts by evaluating items such as location, device being used, and login history," Coates says.
When it detects unusual behavior, Twitter sometimes forces users to change their passwords to ensure adequate protection. Coates revealed that, surprisingly, hackers are not the most reliable people in the world. He affirms that a number of the passwords purportedly linked to Twitter accounts are not even valid.
This is because hackers sometimes "bundle old breached data or repackage accounts" using multiple breach sources in an attempt to increase the selling value of the credentials.
In a Wired interview, one of the hackers claimed to have offered the stolen data to spammers before setting it up for public sale. According to the hacker, the LinkedIn data had an approximate value of $20,000.
Twitter strongly emphasizes the importance of deploying multiple safety measures, such as two-factor authentication, as well as a password manager.