Hacked accounts of hundreds of millions of Twitter users are being sold for prices ranging from $2,500 (4.5 bitcoins) to $5,800 (10 bitcoins), according to a pair of infamous hackers from the Russian underground.
Twitter boasts 310 million active monthly users. More than 32 million credentials are being traded on the dark web while one seller claimed to have more than 300 million for sale. The hacked credentials include email addresses and passwords in plain text.
Twitter has strongly denied any breach on its system, and available evidence suggests that the social network was not hacked.
We have investigated reports of Twitter usernames/passwords on the dark web, and we’re confident that our systems have not been breached.
— Michael Coatesۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗ (@_mwc) June 9, 2016
We securely store all passwords w/ bcrypt. We are working with @leakedsource to obtain this info & take additional steps to protect users.
— Michael Coatesۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗ (@_mwc) June 9, 2016
One hacker selling the Twitter hack uses the alias Tessa88. It’s the same name that’s been spotted selling databases from the recent hacks of 427 million Myspace accounts and 100 million VK.com accounts.
Tessa88 told the Daily Dot on Wednesday night the stolen data was 11 months old. The age of the data breach has not been verified, but if the breach is actually several years old, it’s less likely that anyone is going to pay a hefty fee for data out of date.
The other individual spotted selling the Twitter hack is Peace_of_mind, who was last seen selling the VK.com accounts. Peace, who describes himself as a “shady dark web data dealer,” operates on popular dark net markets and boasts a 100 percent satisfaction rate.
Analysis by LeakedSource.com concluded that, after removing duplicates, more than 32 million accounts were being sold, not the 400 million that were being advertised.
If Twitter itself had been hacked, the number of accounts would likely be much higher. Of the hacked accounts, the highest number of users had mail.ru accounts, but Twitter’s biggest country is the U.S., where mail.ru is far less popular. Finally, it’s unlikely that Twitter itself stores passwords in plain text.
All of this suggests a different but as yet unknown source for the hacked information.
To protect yourself, you should change your Twitter password to a unique and strong password that is not shared on another website. Use a password manager like KeePass or LastPass to make this task easier.
Leakedsource.com has uploaded 32 million records from the hack. You can search that site to see if your account and password are included in the breach.