Days after a number of prominent Twitter accounts got hacked — including those belonging to musicians Katy Perry and Drake as well as Twitter co-founder Evan Williams — nearly 33 million Twitter usernames and passwords are being sold online.
Each record consists of one or two email addresses, username and password, but what's odd about this leak is that the passwords aren't encrypted at all. While this is bad news for users whose credentials are now available online (Leakedsource says it checked the authenticity of the passwords with 15 users, all of which confirmed they were genuine), this indicates that they were not obtained by hacking Twitter or a third-party site.
"The explanation for this is that tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter," Leakedsource wrote in a blog post Wednesday.
On its support account, Twitter said it's taking steps to protect users that may have been affected by the recent password leaks.
To help keep people safe and accounts protected, we've been checking our data against what's been shared from recent password leaks.— Twitter Support (@Support) June 6, 2016
And Twitter security officer Michael Coates tweeted Thursday that the company is confident its systems have not been hacked.
We securely store all passwords w/ bcrypt. We are working with @leakedsource to obtain this info & take additional steps to protect users.— Michael Coates ஃ (@_mwc) June 9, 2016
TechCrunch notes that the passwords Leakedsource has obtained might simply be old passwords that are circulating on the dark web. Be that as it may, you should make sure your Twitter account is safe, your password is hard to break, and turn on two-factor authentication. Here's our advice on how to toughen the security of your online accounts.