Twitter: credential leak not from server breach, we’re taking action
Michael Coates, Trust & Information Security Officer, stated in a blog post that the company is “confident the information was not obtained from a hack of Twitter’s servers.” Coates theorizes that the credentials could’ve been obtained from an amalgamation of data from past breaches of other sites and/or malware that reads browser-stored passwords.
The company took action:
In each of the recent password disclosures, we cross-checked the data with our records. As a result, a number of Twitter accounts were identified for extra protection. Accounts with direct password exposure were locked and require a password reset by the account owner.
Twitter is working with LeakedSource, which published a searchable database (but not any identifying information) of the cache it got from a Russian hacker:
We securely store all passwords w/ bcrypt. We are working with @leakedsource to obtain this info & take additional steps to protect users.
— Michael Coates ஃ (@_mwc) June 9, 2016
Twitter doesn’t shoulder blame for the leak, but it is taking a very proactive measure in patching it up and reminding users that their passwords shouldn’t be “123456789“.