Last week, various reports surfaced that over 32 million Twitter passwords had been offered for sale on the dark web; since then, Twitter has been forcing some users to reset their passwords in order to access their accounts.
While password leaks have, unfortunately, become so commonplace that to many people the information-security events barely seem newsworthy, the Twitter password leak is unusual in that Twitter insists that it was not hacked, and that any valid Twitter passwords found on the dark web were "not obtained from a hack of Twitter's servers," but, rather, leaked as the result of either breaches of other sites and/or credential-stealing malware running on various users' computers and/or mobile devices.
Twitter's claims illustrate the important information-security interconnection between sites - how the breach of one site can lead to security risks at another. As I mentioned in a previous article, the breach of LinkedIn may have provided criminals with the password to Mark Zuckerberg's Twitter account because he used the same password for both sites, and, of course, we can rest assured that the Facebook CEO is not the only person to ever reuse a password. (As described in that article, even if someone uses different passwords on multiple sites, if the passwords are similar enough a hacker may be able to extrapolate one from another.) Furthermore, we have seen other real world examples of the interconnection between breaches before - data from the Anthem breach, for example, likely included all of the personal details needed for criminals to obtain IRS records from the IRS website which had poorly designed authentication requirements.
This cybersecurity interconnection is significant.
Despite the fact that Twitter believes that it was not the source of the password leak, it still has to take action to address risks created by the leak; owners of accounts whose valid Twitter passwords appeared in the list are being blocked from accessing their accounts until they reset their passwords.
This episode, therefore, highlights an important concept: after any major breach, even organizations seemingly unaffected by the breach may be at a level of increased risk. So, businesses need to pay attention to information-security related news, and, at times, engage an expert to evaluate what impact the news has on them - it may not be obvious.
Of course, the current Twitter password story is also a good time to remind people to properly secure their social media accounts, and to practice good cybersecurity hygiene in general. A small amount of vigilance can go a long way.