More than 32 million Twitter login names and passwords are available for sale on the Dark Web, according to a blog post by Leaked Source, a company with a database of stolen login data.
The 32,880,300 Twitter credentials are being sold by an individual identified by the alias Tessa88, said Leaked Source, even though Twitter has already denied that its systems were breached by hackers. Tessa88 put the entire database for sale at the rate of 10 bitcoins, or about $5,800 at the time of writing.
Michael Coates, Twitter’s main security officer, admitted the company was working with Leaked Source to identify the origin of the purportedly leaked information.
“We have investigated reports of Twitter usernames/passwords on the dark web, and we’re confident that our systems have not been breached,” said Coates in a tweet. “We securely store all passwords w/ bcrypt. We are working with @leakedsource to obtain this info & take additional steps to protect users,” he added.
Twitter uses the bcrypt hash function to store hashes. Bcrypt hashes are so slow and computationally costly to crack that it would have required vast amounts of time and effort for anyone to decipher the underlying plaintext.
Each record consists of one or two email addresses, username and password, but what’s odd about this leak is that the passwords aren’t encrypted at all.
“The explanation for this is that tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter,” Leakedsource wrote in a blog post Wednesday.
Recently, there has been a spate of high-profile hacks and data dumps on the dark web, and security experts recommend taking advantage of Twitter’s two-factor authentication to make their accounts more secure.