Twitter was not hacked; instead, individual users were targeted by malware.
More than 32 million Twitter credentials are up for sale on the dark Web, though the microblogging service says its systems have not been breached.
LeakedSource, a search engine for leaked records, in a blog post Wednesday said it obtained a copy of the stolen information from a user who goes by the alias “Tessa88@exploit.im.” The data set includes 32,888,300 Twitter records, including email addresses, usernames, and passwords.
“These credentials however are real and valid,” LeakedSource wrote. “Out of 15 users we asked, all 15 verified their passwords.”
LeakedSource said it has “very strong evidence that Twitter was not hacked”; instead, individual users were targeted.
“The explanation for this is that tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter,” LeakedSource wrote.
Twitter, meanwhile, also said the leak didn’t come from a breach of its systems.
“We are confident that these usernames and credentials were not obtained by a Twitter data breach,” a Twitter spokesperson said. “In fact, we’ve been working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks.”
Because the passwords were stolen directly from consumers, they are in plaintext with no encryption or hashing, LeakedSource said.
Twitter is working with LeakedSource to obtain the leaked information and “take additional steps to protect users,” Trust and Information Security Officer Michael Coates wrote in a Thursday tweet. For now, Twitter users can head over to LeakedSource’s homepage to see if their credentials were involved in this or other recent data leaks, including those affecting LinkedIn and Myspace.