More than 32 million records of Twitter account usernames, passwords, and email addresses have been obtained by the website LeakedSource, a paid repository for data breaches.
A hacker going by Tessa88 gave the dataset to the site, which contained a number of passwords in plaintext. The site said in a blog post it doesn't appear that Twitter itself was breached, but instead, individual users were likely infected with malware that stole their usernames and passwords for websites and sent them back to the hacker.
"While the credentials themselves appear to be real, the details provided by LeakedSource indicate that the usernames and passwords are sourced from end users rather than from Twitter itself," Tod Beardsley, Security Research Manager at Rapid7, told Tech Insider in a statement. "Specifically, it appears that the credentials were harvested from individual browsers password stores, which is troubling."
Twitter's Trust and Information Security Officer Michael Coates said in a tweet that they investigated and were "confident that our systems have not been breached." A Twitter spokesperson told Tech Insider: "Our systems have not been breached. In fact, we’ve been working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks."
The hacker apparently targeted mostly Russian users, with the top email addresses coming from Russia-based email services. "Tessa88" was also the source of recent data dumps from MySpace and the Russian social networking site VK.
"We often recommend people save their passwords off in dedicated password management systems such as KeePass, 1Password, or LastPass. It's just too easy for malware to pick up credentials stored in the default browser password stores as these databases usually lack appropriate access controls," Beardsley added.
