Twitter's Breach That Wasn't Prompts New Security Rules

NEWS ANALYSIS: Millions of Twitter usernames and passwords have appeared on the Dark Web, yet Twitter says their servers weren't breached. That doesn't mean the names weren't taken.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

Twitter, new security rules

The last few weeks have been one of those times when you almost say, "another day, another breach." In this case, something like 32 million purported Twitter user names and passwords have appeared on the Dark Web for sale. In response, the Twitter security folks found the names for sale, and set the accounts to require a new password, and sent the users affected an email explaining what happened.

However, it's worth noting that Twitter is saying it wasn't breached. According to Twitter's Trust and Information Security Officer Michael Coates, those names and passwords were apparently gathered from the results of other breaches and, in some cases, at least were attempts to construct a Twitter name out of another set of credentials.

"We've investigated claims of Twitter @names and passwords available on the 'Dark Web,'" Coates said in a blog post, "and we're confident the information was not obtained from a hack of Twitter's servers."

Coates added, "The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both. Regardless of origin, we're acting swiftly to protect your Twitter account."

What that means is that Twitter checked the list, and is going to require users with breached passwords to reset their credentials. But Twitter has a list of suggestions, as well; perhaps the most important is a link to set up two-factor authentication for Twitter accounts. This will require you to enter a code that will be sent via text message every time you try to log in to Twitter. The Twitter security folks also suggest unique, complex passwords and the use of a password manager so that users don't have to try to remember what their password is. I covered those steps just a few days ago.

If your Twitter account was leaked, you should immediately change your password, but in reality, there's more that you need to do beyond that. Twitter's new offering of two-factor authentication is an important step, and one that's being made available by a growing number of services. Both Microsoft and Apple have been offering two-factor authentication for some time, and it's an important means of making sure your account isn't compromised.

In the case of Twitter users and companies with a high profile, it's becoming essential that you adopt such an authentication step to your account. This means that for people in politics, show business or who are well-known for some other reason, not adding authentication is foolhardy. These people and entities could be badly embarrassed if their account were hijacked, regardless of how that was accomplished.

How might this happen? Suppose that current presidential candidates Hillary Clinton or Donald Trump were suddenly to release a Tweet endorsing the other? While such a thing would eventually fade once it was identified as an obviously hijacked Tweet, there would be period of a few days when that was the only thing in the news cycle. Or suppose a bogus Tweet comes from Tim Cook or Bill Gates. You get the picture.

This new exposure of Twitter logins also highlights another consideration, which is to make sure that passwords for social media are all unique. What's happening is that when the hackers get their hands on a list of login information and passwords, they immediately set about seeing if the same credentials will work on other services. If they do, then the credentials are validated and the hackers can charge more money when they sell the information.

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...