Almost 33 million Twitter passwords, usernames and email addresses have been leaked online, probably collected through a malware attack targeting users rather than the microblogging website itself.
The leak has been revealed by the LeakedSource website, which collects private data illegally traded on the dark web, allowing users to search and remove their own credentials from the database.
LeakedSource said the data set was provided by a user with a nickname Tessa88@exploit.im.
“We have very strong evidence that Twitter was not hacked, rather the consumer was,” LeakedSource said in a blog post. “These credentials however are real and valid. Out of 15 users we asked, all 15 verified their passwords.”
The passwords were stolen in a plain text form, which supports the theory that the hack targeted users directly as Twitter would store such data encrypted, the website suggested.
“The explanation for this is that tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter,” LeakedSource said.
“There was a very significant amount of users with the password "<blank>" and "null". Some browsers store passwords as "<blank>" if you don't enter a password when you save your credentials.”
Despite the recent hack of the Twitter account of Facebook CEO Mark Zuckerberg, the data set doesn’t contain his credentials.
Twitter has reportedly started contacting the 32,880,300 affected users.
LeakedSource estimates the malware most likely came from Russia as the majority of the leaked addresses are on the .ru domain.
The LeakedSource database currently contains more than 1.8 billion records leaked from various sources including Myspace.com, LinkedIn.com and Badoo.com.
“Since embarking on this ambitious project just a handful of months ago, we have processed an unbelievable amount of data,” the website says. “Much more than we expected, more than most large companies will ever house - and we're just getting started.”