Millions of Twitter passwords were stolen. What can users do?
Russian hacker Tessa88 stole the account information of millions of Twitter users and is now selling the information for nearly $6,000 a user.
Kacper Pempel/Reuters/File
Millions of Twitter accounts have been compromised, a Russian seller with ties to the Myspace, LinkedIn, and Tumblr data breaches claimed Tuesday.
The seller, who goes by Tessa88, appears to have obtained the login credentials of more than 32 million users, which, for each of them, includes at least one email address, a password, and a username.
"The lesson here? It’s not just companies that can be hacked," wrote Leakedsource.com, a breach notification website that verified the Tessa88's claims. "Users need to be careful, too."
The author of the Leakedsource.com blog post isn't the only expert to urge the public be smarter about the passwords they choose. Especially after Facebook chief executive officer Mark Zuckerberg's Twitter password was found to be just "dadada," experts have insisted you should come up with more creative, secure passwords.
Twitter itself doesn't appear to have been hacked, it said in a statement.
"We are confident that these usernames and credentials were not obtained by a Twitter data breach – our systems have not been breached. In fact, we've been working to help keep accounts protected by checking our data against what's been shared from recent other password leaks," a Twitter spokesperson said, according to TechCrunch.
Leakedsource.com confirmed Twitter's suspicion. The website said passwords stolen from Twitter would have been encrypted. The passwords in the database were plain text.
The data breach likely occurred through malicious software, which could have sent usernames and passwords saved in Chrome, Firefox, and other internet browsers to the hackers, according to Leakedsource.com. The majority of users appear to live in Russia, wrote Leakedsource.com.
In an encrypted message Tuesday, Tessa88 offered the usernames and passwords of 379 million Twitter accounts from as early as 2015, each for a price of 10 bitcoins ($5,819.30 by press time), according to ZDNET. Because there were only 310 million Twitter users in 2015, according to ZDNET, Leakedsource.com suspects the number of accounts is more likely in the range of 32,888,300. Perhaps more concerning than the scope of the data breach is users' popular passwords.
The most popular passwords on the list are a simple, generic combination of numbers and letters. The most popular – the password of 120,417 users – is just "123456," according to Leakedsource.com. Second is "123456789," followed by "qwerty" and "password."
Though Facebook’s Mr. Zuckerberg was not in the data set (Leakedsource.com checked), he has received blowback for his password of "dadada" for his Twitter and Pinterest accounts.
"The most frustrating part is that all of this could have been avoided," said tech writer Alexandra Samuel in The Christian Science Monitor. Ms. Samuel admits, like Zuckerberg, she was hacked because of "bad password security."
After all, it’s not difficult to protect yourself online: create unique, tough-to-guess passwords for every account, change your passwords whenever a site gets hacked, and use two-factor authentication whenever possible. Also, don’t forget to use a password manager to generate, encrypt, store and update passwords for you. I used 1Password, an app that makes it possible to see which passwords I used for all my digital identities."
To combat malware and other password-cracking software, security expert and cryptographer Bruce Schneier recommends turning a sentence you can remember into a password, writes the Monitor's Max Lewontin.
Examples from the site LifeHacker include:
WOO!TPwontSB = Woohoo! The Packers won the Super Bowl!
PPupmoarT@O@tgs = Please pick up more Toasty O's at the grocery store.