Active and inactive Twitter users alike should consider changing their login credentials, as an anonymous seller is reportedly selling nearly 33 million Twitter passwords on the dark web. According to LeakedSource, a site containing databases of leaked login credentials, an individual identified as Tessa88@exploit.im is trying to sell 32,880,300 passwords, which is more than 10 percent of Twitter's monthly active users.
The database being sold allegedly has 379 million records, with each record containing a username, password and at least one email address. LeakedSource claims it has checked out 15 passwords and found them to be accurate. The asking price, reports Zdnet, is 10 bitcoins — or $5,745 at $574.50 to the bitcoin, at the time of publication.
TechCrunch notes that many of the leaked accounts appear to be Russian, with six of the 10 most commonly appearing email domains being Russian (e.g. mail.ru and yandex.ru). Incidentally, last week the alias Tessa88@exploit.im also shared hacked data from Russian social networking platform VK to LeakedSource.
Since the passwords are not encrypted, it is unlikely the leak is due to a hack on Twitter or a third-party site. "The explanation for this is that tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter," wrote LeakedSource in a blog post on Wednesday.
Twitter security officer Michael Coates confirmed on Thursday that Twitter has not been compromised. “We have investigated reports of Twitter usernames/passwords on the dark web, and we're confident that our systems have not been breached,” tweeted Coates. “We securely store all passwords w/ bcrypt. We are working with @leakedsource to obtain this info & take additional steps to protect users.”
Mashable advises not searching the LeakedSource database by inputting email addresses or other identifying information. Instead, it recommends looking at the site’s list of most commonly used passwords from Twitter to see if any passwords resemble yours. Or, you can play it even safer and change your password altogether.