The credentials of more than 32 million Twitter (TWTR) users have reportedly been stolen and leaked—but with this particular mega-breach, the twist is that it doesn’t seem to have been Twitter itself that was the source of the data.
There has recently been a spate of user credentials from services such as LinkedIn (LNKD) and MySpace turning up in the online underground, but in each of these cases the data appeared to have come from a breach of the service provider’s systems—a tell-tale sign being that the passwords were (badly) encrypted.
Those breaches become public through a shadowy site called LeakedSource, that lets people see whether their credentials have been included in particular leaked datasets. LeakedSource is again the conduit for this latest tranche of data, but its proprietors reckon the Twitter credentials were stolen from the users’ browsers. Twitter is also adamant that it wasn’t itself hacked.
Get Data Sheet, Fortune’s technology newsletter.
“We are confident that these usernames and credentials were not obtained by a Twitter data breach—our systems have not been breached,” Twitter said in a statement. “In fact, we’ve been working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks.”
In a blog post, LeakedSource said the dataset included passwords from people who had signed up to Twitter as recently as 2014, but the passwords had been stored in “plaintext,” with no attempt to encrypt them. In line with being a large, prominent web firm, Twitter isn’t so careless with its customers’ data.
As Twitter information security officer Michael Coates tweeted:
We securely store all passwords w/ bcrypt. We are working with @leakedsource to obtain this info & take additional steps to protect users.
— Michael Coatesۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗۗ (@_mwc) June 9, 2016
What’s more, LeakedSource said many passwords in the dataset were listed as “blank,” which is how browsers refer to a user’s password when the user doesn’t choose to store their password along with their login credentials.
In short, according to LeakedSource’s theory, whoever stole this data apparently stole it from the users’ browsers. This was most probably done with malware, and it seems to have disproportionately targeted Russians—the most common email address domain in the list is “mail.ru,” with five other Russian email providers also appearing in the top 10.
If that’s the case, the thieves probably took more than just Twitter credentials.
For more on cybersecurity, watch our video.
“These credentials…are real and valid. Out of 15 users we asked, all 15 verified their passwords,” LeakedSource wrote. “The explanation for this is that tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter.”
Russia was also the focus of the last big stolen-data leak that showed up on LeakedSource a few days ago—that time round, the target was VK, the country’s biggest social network.
If LeakedSource’s account checks out and you’re a victim, it’s probably a good idea to get rid of that malware, not just change your password. When someone has access to a computer in this way, they can use it to steal information and propagate the malware to other people.
https://twitter.com/LeakedSource/status/740748213926367233
According to ZDNet, the hacker who provided the Twitter data to LeakedSource (as well as the MySpace and VK data) is now trying to sell it for 10 bitcoins (around $5,800).
It does seem like a regular theme for LeakedSource to be announcing major leaks at the same time as people show up on underground marketplaces trying to sell the relevant data. The timing isn’t about the leaks themselves, as those have taken place over years, although the data is all surfacing now. LeakedSource claims it “does not engage in, encourage or condone” hacking.
