Cyber Incident Victim: Twitter
Date:
Jan 2014
Location:
Russia
Summary
A hacker claimed to sell over 32 million user credentials, including email addresses and plain-text passwords, allegedly obtained via malware that harvested saved login details from infected browsers rather than a direct breach of the company's systems. Analysis confirmed the validity of some credentials, with common weak passwords identified, while the organization denied any compromise of its infrastructure and stated it proactively checked user data against external leaks to protect accounts. High-profile account takeovers around the same time were attributed to separate credential leaks from other platforms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In June 2016, a hacker known as Tessa88, associated with prior breaches at MySpace, LinkedIn, and Tumblr, claimed to possess and sell a database of over 32 million Twitter account credentials after duplicate removal. The data included email addresses (sometimes two per user), usernames, and plain-text passwords, priced at 10 bitcoins (approximately $5,820). LeakedSource, a breach notification service, obtained and analyzed the database, concluding the credentials were likely stolen via malware infections on users' devices rather than a direct breach of Twitter’s systems. The malware harvested saved login details from browsers like Chrome and Firefox, compiling credentials from multiple websites including Twitter. LeakedSource verified the authenticity of 15 sample passwords from the database, with two journalists confirming their credentials matched, while a third noted the associated email was unused for Twitter. The plain-text nature of the passwords suggested theft from individual users rather than Twitter’s infrastructure, as the company was not believed to store passwords unencrypted at the time of the data collection, estimated to be around 2014. Common passwords in the dataset included "123456," "qwerty," and "password," reflecting poor user security practices.
Twitter denied any breach of its systems, stating it proactively compared its data against known password leaks to secure accounts. This response aligned with public concerns following high-profile account takeovers, such as Facebook co-founder Mark Zuckerberg’s compromised Twitter account, though his credentials were absent from this specific database. The attackers behind Zuckerberg’s breach had sourced his "dadada" password from the earlier LinkedIn breach. LeakedSource emphasized the incident underscored risks from user-side compromises rather than corporate breaches, noting the credentials were valid and highlighting the role of malware in credential theft. Twitter reiterated its focus on cross-referencing leaked passwords to protect accounts, distancing the incident from its own security posture while acknowledging the broader challenge of credential reuse and malware threats targeting users.