32 Million Twitter passwords may have been stolen — top passwords may surprise you

Leave a comment

June 12, 2016 by Paul Dughi

If your Twitter password is “123456,” “querty,” or “password,” you might have bigger security issues than knowing your Twitter password’s been stolen. But amazingly, those were three of the top five passwords among the 32 million accounts uncovered by the website LeakedSource.

They got my password

You may have seen the news about Mark Zuckerberg’s Twitter account being hacked and his password posted, or the NFL’s Twitter account being hacked and a posting saying NFL Commissioner Roger Goodell had died. I was able to check that one of my Twitter accounts was included in the leaked data. I’ll show you how you can check yours below. I don’t know whether to be relieved or insulted that nobody posted fake stuff to my account. But then again, if you see something weird from me in the future, I can always use that “I’ve been hacked” defense!

SOURCE: LeakedSource Analysis/Twitter Hack

LeakedSource was able to get a copy of the data that’s being traded and sold on the dark web.

LeakedSource is the same group which just uncovered 100+ million LinkedIn passwords that had been making its way around the internet, as well as leaked passwords for Badoo.com and MySpace.

The group says something scarier than the leak. They claim to have found “very strong evidence” that Twitter was not hacked. Instead, LeakSource believes tens of millions of people have become infected by malware, using web browsers like Firefox and Chrome, which is recording and sending passwords back to the hackers. This is really bad news, because if that’s true, the hackers probably have more than just the Twitter passwords. Think about all the password-protected places you’ve been on your computer lately — like your bank account — and you will quickly understand this could be a really big deal.

The group says the passwords were saved as plain text. Twitter, in its defense, doesn’t store passwords that way. They’re encrypted. But the browsers do.

Change your passwords regularly and be a little more creative

For gosh sakes, pick something a little more complex than “123456” or the name of the website you’re visiting.

SOURCE: LeakedSource Analysis/LinkedIn Hack

Here are the top passwords associated with LinkedIn accounts in the hack. “123456” was top again, followed by “linkedin” and “password.”

It wasn’t much different for Badoo or MySpace. You’ll notice not one of those is a complex password as every security expert and every IT person ever has told us to use.

Here’s my thought. You probably wouldn’t need the hack to guess these passwords. Three-Quarters of a million Linkedin users were using “123456.” If I were trying to break into someone’s account, that’s the first thing I’d try.

These leaked lists contain not only the passwords, but they are matched up to email addresses and/or login names.

See if your account is in the leaked passwords

While LeakedSource has not made available the leaked passwords, they have put together a database that you can search to see if yours is among the hack.

Twitter Responds — Many accounts locked

coates twitter

If you were locked out of your Twitter account or had to re-validate your information recently, this is why.

Twitter’s top security guy, Michael Coates, says they are confident the leak didn’t come from Twitter and are working with LeakedSource to get to the bottom of things.

Twitter also reports that they are locking accounts of users they believe may have been breached in the process.

“In each of the recent password disclosures, we cross-checked the data with our records,” Coats wrote in an official blog. “As a result, a number of Twitter accounts were identified for extra protection. Accounts with direct password exposure were locked and require a password reset by the account owner.”

Coates also details Twitter’s efforts and what you can do to make yourself more secure here.

SOURCE: LeakedSource Analysis/MySpace Hack

Slightly more creative passwords

Fairly similar results showed in the Badoo and MySpace hacks, although 125,000+ people used “f**kyou1,” just slightly more than used “iloveyou1” or “princess1” for their MySpace passwords.

May not all be valid passwords

One security expert I talked to — who didn’t want to be identified because of his employer — said he would have a hard time believing all the data could be accurate.

LeakedSource said that it checked the leaked data by asking 15 users to verify their passwords. All of them confirmed the passwords were accurate. That was enough, according to LeakedSource, to raise the alarm.

Whether the full list is accurate enough, this “leaked password” thing is becoming an every day occurrence. It’s high time for all of us to take password security a little more seriously… like use a complex password and change them every once in a while.

Screen grab for now deleted fake tweet sent from NFL Twitter Account

Recent Twitter Hacks

Mark Zuckerburg’s account was hacked recently, although he was just as guilty of using a poor password (his was dadada). Last week, the NFL twitter account was compromised, which resulted in someone posting that NFL commissioner Roger Goodell had died. It wasn’t true, in case you were wondering. He was a fairly good sport about it, posting this.

Goodell

At least one news channel, CNBC, reported that Goodell had died in one of those crawls at the bottom of the screen. They quickly pulled it back as it took only moments for the information to be proven to be false.

Reusing the same passwords

Another big problem is people using the same passwords on multiple places. Once the hackers have your password and email for one site, they’re finding it all too common that people are using the same passwords elsewhere. Bad practice, people.

Brian Krebs report that Netflix and Facebook are also going through the leaked data to check common users. Some people have reported getting a message like this one from Netflix.

“We believe your Netflix account credentials may have been included in a recent release of email addresses and passwords from an older breach at another company. Just to be safe, we’ve reset your password as a precautionary measure.”

I didn’t connect the dots at the time, but I had to reset my Netflix password recently. So maybe I was one of those Netflix users to get the message. That’s unsettling since it’s a different user name (email account) and password than used on Twitter.

Upon reflection, I’m changing all my passwords this week and updating my security software to make sure my browsers aren’t compromised. Might be time for you to do this, too.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Contact Me

Previous Posts

Recent Visitors

%d bloggers like this: