Tens of millions of Twitter logins are being traded on the digital underground, but Twitter says it was not hacked.
By Joseph Cox | MOTHERBOARD
So how could the logins have been obtained? One candidate: password reuse—that is, people affected by data breaches at other services using the same password on Twitter.
“We are confident that these usernames and credentials were not obtained by a Twitter data breach—our systems have not been breached. In fact, we’ve been working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks,” a Twitter spokesperson told Motherboard in an email. Michael Coates, trust and information security officer at Twitter, tweeted that the company stores passwords with the robust hashing algorithm bcrypt.
When someone reuses a password across websites, all a hacker needs to do is check if a password and email combination from a hacked site works on other services, and if there aren’t any extra security measures, they’re in. Not reusing passwords is one of the most simple security ideas to grasp, but one that many people ignore.