On Thursday, reports that over 32 million Twitter accounts were hacked and passwords leaked filled online news publishers’ pages but according to Have I Been Pwned security researcher, Troy Hunt, there’s no need to panic yet.
“I'm highly skeptical that there's a trove of 32M accounts with legitimate credentials for Twitter," Hunt told Ars Technica.
The rumors started Wednesday night when LeakedSource, a paid site alerts subscribers of potential breaches to their internet accounts, wrote in a blog post that they had received a hack database containing nearly 33 million unique Twitter account emails and passwords. LeakedSource acquired the database from a hacker going by the name of Tessa88, who also claimed a connection with the earlier LinkedIn and Myspace hacks.
According to the hacker, the database they offered contained 379 million Twitter accounts credentials from as early as 2015, but when LeakedSource analyzed the data only about 33 million unique accounts were discovered.
So, Was Twitter Hacked? Probably Not.
In the last month, we’ve seen a number of massive breach databases that leaked over 640 million different internet account login credentials, but the alleged Twitter hack differs from those in that it contains newer account details that don’t appear to have been acquired via a breach of Twitter. In other words, Twitter wasn’t actually hacked. Instead, the database was collected by some other means.
LeakedSource speculates that the Twitter account credentials may have been acquired when victims became infected with some kind of malware, which allowed hackers to access every saved username and password stored in victims’ internet browsers.
ZDNET contacted LeakedSource about the breach database and was able to verify that two of their employees’ Twitter account information was in the database, but a third employee said the Twitter email address listed for him was incorrect.
While Twitter is still conducting its own investigations regarding the database, Twitter Information Security Officer Michael Coates tweeted his confidence that the social media network had not been hacked.
As Coates notes, Twitter uses a particular type of encryption process called “bcrypt” for storing passwords that make them much more difficult and time-consuming for hackers to crack. This makes the companies claims that they have not been hacked ring true.
If Twitter Wasn’t Hacked Should I Still Change My Password?
But even if Twitter wasn’t hacked, aren’t 33 million leaked account credentials something to be concerned about? Of course it would be – if it was true. But at this point, Hunt doesn’t believe the 33 million number is probably accurate.
"The likelihood of that many records being obtained independently of a data breach and them being usable against active Twitter accounts is extremely low, the researcher told iDigitalTimes.
If it were, he went on,Twitter would have implemented a mandatory password change for compromised account users as has been the case with breaches like Myspace and LinkedIn.
While Troy told iDigitalTimes earlier in the month that we may see more large breaches on the heels of the Myspace and LinkedIn hacks, at this point, this doesn’t appear to be one of them.
So, the question remains: should you change your Twitter password? At this point, probably not. However, if you are not currently using two-factor authentication we do advise you do this to prevent possible breaches in the future.
What Is Two-Factor Authentication? How To Enable Two-Step Verification On Twitter
Two-factor authentication aka two-step verification is an excellent way of keeping your accounts secure, where available. When you enable two-factor authentication, logging into your account requires not only knowing the username and password for the account, but there also has to be a second way to verify. In most cases it is via receiving a text message with a special verifying code. This way anyone who might get your account username and password still can access the account without having access to your cell phone as well. If you want to set up two-factor authentication for your Twitter account, you need to do the following:
On Computer:
- Click on your tiny profile icon in the upper left-hand corner of the screen
- Click on settings
- Click on Security and Privacy
- Check the box that says “Verify Login Requests”
- You will then be taken through the steps to set up two-factor authentication.
On Mobile:
- Tap on the “Me” tab
- Tap on the gear next to the “Edit profile” button
- Tap on “Settings”
- Tap on “Account”
- Tap on “Security”
- Toggle on “login verification.”