The last few weeks have been one of those times when you almost say, “another day, another breach.” In this case, something like 32 million purported Twitter user names and passwords have appeared on the Dark Web for sale. In response, the Twitter security folks found the names for sale, and set the accounts to require a new password, and sent the users affected an email explaining what happened.
However, it’s worth noting that Twitter is saying it wasn’t breached. According to Twitter’s Trust and Information Security Officer Michael Coates, those names and passwords were apparently gathered from the results of other breaches and, in some cases, at least were attempts to construct a Twitter name out of another set of credentials.
“We’ve investigated claims of Twitter @names and passwords available on the ‘Dark Web,'” Coates said in a blog post, “and we’re confident the information was not obtained from a hack of Twitter’s servers.”
Coates added, “The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both. Regardless of origin, we’re acting swiftly to protect your Twitter account.”
What that means is that Twitter checked the list, and is going to require users with breached passwords to reset their credentials. But Twitter has a list of suggestions, as well; perhaps the most important is a link to set up two-factor authentication for Twitter accounts. This will require you to enter a code that will be sent via text message every time you try to log in to Twitter. The Twitter security folks also suggest unique, complex passwords and the use of a password manager so that users don’t have to try to remember what their password is. I covered those steps just a few days ago.
If your Twitter account was leaked, you should immediately change your password, but in reality, there’s more that you need to do beyond that. Twitter’s new offering of two-factor authentication is an important step, and one that’s being made available by a growing number of services. Both Microsoft and Apple have been offering two-factor authentication for some time, and it’s an important means of making sure your account isn’t compromised.
In the case of Twitter users and companies with a high profile, it’s becoming essential that you adopt such an authentication step to your account. This means that for people in politics, show business or who are well-known for some other reason, not adding authentication is foolhardy. These people and entities could be badly embarrassed if their account were hijacked, regardless of how that was accomplished.
How might this happen? Suppose that current presidential candidates Hillary Clinton or Donald Trump were suddenly to release a Tweet endorsing the other? While such a thing would eventually fade once it was identified as an obviously hijacked Tweet, there would be period of a few days when that was the only thing in the news cycle. Or suppose a bogus Tweet comes from Tim Cook or Bill Gates. You get the picture.
This new exposure of Twitter logins also highlights another consideration, which is to make sure that passwords for social media are all unique. What’s happening is that when the hackers get their hands on a list of login information and passwords, they immediately set about seeing if the same credentials will work on other services. If they do, then the credentials are validated and the hackers can charge more money when they sell the information.
Twitter’s Breach That Wasn’t Prompts New Security Rules
Adding to the complexity of protecting yourself and your organization is that the hackers are using new ways of getting the data they need. What appears to be happening is that the hackers are now leveraging big data analysis techniques to reveal likely username and password combinations. In the case of Twitter, it’s not hard to reveal a Twitter handle given the email address or name of the target individual. A reasonably capable hacker can automate the process of harvesting this information and then combine it all for sale.
While such a technique won’t guarantee a perfect list, the level of success should be high enough to make such a set of credentials valuable anyway. The reason this is happening is twofold. First, there are several organized crime syndicates, all trying to get the upper hand in selling stolen information, and as the level of competition grows, so do the number and variety of breaches and other theft attempts.
Second, social media companies and other services are getting better at protecting their information, so the criminals need to find it in other places. Unfortunately, when a major breach does happen, that data is leveraged in more ways than just selling it in the form in which it appeared.
As a result, there are three things that you should do, especially if you or your company have any kind of public profile. First, take advantage of whatever form of advanced authentication is available as soon as it’s available. Second, take seriously the need to have unique passwords for each public site you use, so that if one is revealed, the rest won’t be. Finally, use some form of authentication management so that you can keep track of everything and manage changes as needed.
Unfortunately, this is one case where the world is getting more dangerous very quickly, and while you probably can’t always beat the bad guys at this game, at least you can make it hard enough for them that they attack someone else instead.