HACKERS PUT MILLIONS of Twitter credentials up for sale on Wednesday. At this point, it’s a good idea to enable two-factor authentication on Twitter, and if you’re using the same password somewhere else, change it just to be safe.
There’s some confusion about how the data leaked, and the extent to which it’s a concern. Twitter says that it was not directly compromised. LeakedSource, a site that aggregates hacked data sets, says it received a collection of more than 32 million records that include some combination of an email address, a Twitter username, and a password. It suggests that a single piece of unknown malware could be to blame for the breach, but Jake Williams, founder of the cybersecurity consultancy Rendition InfoSec, considers that unlikely.
“I don’t think that really makes sense,” he says.
He is skeptical of the malware theory because many of the compromised passwords that appear in plaintext have blank password fields. “If there was malware on your machine,” he says, “I would expect it to log your password whether or not you chose to save it. The only time the hypothetical malware would be stuck with a blank password would be when the password was not saved and the user never logs in by typing their password while the malware is active.”
He suspects bad password hygiene. “My guess is that this is probably the result of users who share passwords among sites with less secure password storage practices,” says Williams. The timing supports that idea. The other Twitter data set, comprising 71 million accounts, has been offered up on the black market by Peace, the same hacker who has claimed responsibility for the recent hacks of MySpace and LinkedIn.
Those leaks were an order of magnitude larger than this reported Twitter incident. Over 360 million MySpace accounts were compromised, along with 117 million LinkedIn emails and passwords. In other words, if just 20 percent of those MySpace users recycled their email and password for their Twitter account, that gets you to 70 million “hacked” accounts with no effort on the part of the hackers other than a little cross-referencing.
Security researcher Troy Hunt, meanwhile, suspects that much of the data base may be outdated or otherwise useless.
“It looks almost certain that this isn’t a breach of Twitter itself, rather an aggregation of data from unknown sources,” says Hunt. “It’s highly unlikely there are 32 million credentials in there that are usable against Twitter accounts.”
Ultimately, this looks like a “better safe than sorry” scenario. It’s a good prompt, though, to enable two-factor authentication on Twitter if you haven’t already. That’s going to give you an extra layer of protection if someone swipes your credentials.
It’s also easy! Go to Twitter on your desktop, click on Profile and Settings in the upper right-hand corner (it’s hiding under your avatar). From there, go to Mobile, enter your phone number, and type in the confirmation code that Twitter texts you. Then, under Privacy and Security, check the box that says Verify login requests. You’ll be sent one more confirmation code to make extra-sure it’s you, and that’s it! From now on, attempts to sign in from new devices will require a special code sent to your phone only.
While you’re at it, if you’re someone who uses the same password everywhere, it’s time to start mixing it up. Start fresh! Get a password manager, even. It’s a temporary headache that could save you a lot of trouble down the road.
You can find tips from several password experts here, the most important of which are to prioritize length over complexity (16 characters minimum, please), and never to use the same password across multiple accounts. That may be, after all, what has gotten so many Twitter users in trouble in the first place.