Hackers are trading tens of millions of Twitter credentials on the darknet, according to LeakedSource, a search engine that trawls leaked records, warning that malware was used to grab the data from users.
LeakedSource says that it has obtained a data set of almost 33 million Twitter records. Each record may contain an email address, a username, sometimes a second email and a visible password, it says.
Twitter has 310 million monthly active users so the purportedly leaked data would account for a significant chunk of the service’s user base.
“We have very strong evidence that Twitter was not hacked, rather the consumer was,” LeakedSource explained, describing the credentials as real and valid. “The explanation for this is that tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter.”
The darknet refers to private networks built from connections between trusted peers using unconventional protocols. Darknets are just one part of what is known as deep web – a vast network which is not indexed by search engines such as Google and Bing.
"We are confident that these usernames and credentials were not obtained by a Twitter data breach – our systems have not been breached,” explained Twitter, in a statement sent to FoxNews.com. “In fact, we’ve been working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks."
Twitter accounts are certainly in the security spotlight at the moment. The NFL’s Twitter account, for example, was briefly taken over Tuesday, with hackers using the account to tweet that commissioner Roger Goodell had passed away. The league’s Vice President of Communications Brian McCarthy subsequently tweeted from his own account that the Goodell tweet was false, adding that Goodell is alive and well.
Hackers have also targeted Facebook CEO Mark Zuckerberg's social media accounts, briefly hijacking his Twitter, LinkedIn, and Pinterest accounts. Last month Katy Perry’s Twitter account was hacked and used by someone to send out a series of unsavory tweets.
The reported use of malware to grab 33 million Twitter account credentials is worrying for users, says Tod Beardsley, security research manager at cybersecurity specialist Rapid 7.
“While the credentials themselves appear to be real, the details provided by LeakedSource indicate that the usernames and passwords are sourced from end users rather than from Twitter itself,” he explained, in a statement emailed to FoxNews.com. “Specifically, it appears that the credentials were harvested from individual browsers password stores, which is troubling.”
Beardsley recommends that people save their passwords off in dedicated password management systems such as KeePass, 1Password, or LastPass. “It's just too easy for malware to pick up credentials stored in the default browser password stores as these databases usually lack appropriate access controls.”
Follow James Rogers on Twitter @jamesjrogers