Twitter's Breach That Wasn't Prompts New Security Rules
NEWS ANALYSIS: Millions of Twitter usernames and passwords have appeared on the Dark Web, yet Twitter says their servers weren't breached. That doesn't mean the names weren't taken.The last few weeks have been one of those times when you almost say, "another day, another breach." In this case, something like 32 million purported Twitter user names and passwords have appeared on the Dark Web for sale. In response, the Twitter security folks found the names for sale, and set the accounts to require a new password, and sent the users affected an email explaining what happened. However, it's worth noting that Twitter is saying it wasn't breached. According to Twitter's Trust and Information Security Officer Michael Coates, those names and passwords were apparently gathered from the results of other breaches and, in some cases, at least were attempts to construct a Twitter name out of another set of credentials. "We've investigated claims of Twitter @names and passwords available on the 'Dark Web,'" Coates said in a blog post, "and we're confident the information was not obtained from a hack of Twitter's servers." Coates added, "The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both. Regardless of origin, we're acting swiftly to protect your Twitter account."
What that means is that Twitter checked the list, and is going to require users with breached passwords to reset their credentials. But Twitter has a list of suggestions, as well; perhaps the most important is a link to set up two-factor authentication for Twitter accounts. This will require you to enter a code that will be sent via text message every time you try to log in to Twitter. The Twitter security folks also suggest unique, complex passwords and the use of a password manager so that users don't have to try to remember what their password is. I covered those steps just a few days ago.