Coming shortly after the release of historical data breaches concerning LinkedIn and Myspace, a hacker known as “Tessa88@exploit.im” has released the large cache onto the dark web. Leaked data search engine LeakedSource said credentials are being traded “in the tens of million” online.
The data appears to be genuine and contains valid passwords. After contacting 15 people listed in the dump, LeakedSource verified the passwords of all the users, indicating the data is relatively recent and is not faked.
Despite the apparent authenticity, LeakedSource said it has “very strong evidence” that Twitter’s own database has not been compromised. Instead, it appears as though “tens of millions” of people have become infected with malware that has stolen their login details.
The site hypothesised that malware disguised as a plugin for popular web browsers Google Chrome and Mozilla Firefox could be saving usernames and passwords and sending them to the hackers. This would happen silently without the user knowing, giving the people behind the scheme a steady supply of recent credentials.
The structure of the leaked data appears to support this. All of the passwords are stored in plaintext, even for users who only recently signed up. While Twitter could have stored passwords insecurely a decade ago, it certainly doesn’t keep user data in plaintext today.
Additionally, the email domains in the list don’t suggest a full database leak has occurred. The addresses are disproportionately Russian, again a strong indicator that this is malware that has swept through a region. As a final sign, a “significant” number of passwords in the database are “blank” or “null,” values browsers commonly use as saved credentials if you don’t specify a password.
The most frequently used passwords in the dump are predictably insecure. The most popular is “123456,” followed by “123456790,” “qwerty” and “password.” The most common email domain is Russia’s “mail.ru,” followed by “yahoo.com” and “hotmail.com.”
LeakedSource’s explanation of the incident implies that a hacker group is running a very successful strain of malware capable of stealing Twitter login credentials from major browsers. To have collected the volume of data released onto the dark web, the malware must have been operational for some time. It could still be active today.
Twitter has acknowledged the situation, taking a proactive approach to the matter despite there being no indication of its site being compromised. “To help keep people safe and accounts protected, we’ve been checking our data against what’s been shared from recent password leaks,” the company said in a tweet this week. It later confirmed it could find no indication of a data breach from its servers.
