News sites recently reported the possibility of compromised Twitter accounts. Twitter denied the claim that they had been compromised or breached. If you do a search on the topic, things read a little differently than the official company stance.
Let me simply say it is not really rare or uncommon for malware to spread throughout millions of devices and gather passwords. Social media sites are a favorite target.
How difficult (or, put more aptly, easy) is it to obtain stolen passwords? The good/bad news is that you do not need to have any hacking skills. You do not have to launch malware to scoop them up. Someone has already done that piece of labor for you.
Userids and password repositories are prolific in the Web. Even a cursory look will reveal them conspicuously placed in all types of sites. For instance, passwords are regularly posted on sites such as Pastebin.com:
I decided to do a quick search in that site to see what I would find. It revealed literally hundreds of entries containing passwords. One sigh of relief came when I examined a few of the passwords and drops. Most of the credentials for social media and other popular sites appeared to be relatively old or invalid.
Pastebin is relatively easy to get to and search through. The Darknet is a little different story, but it can also be searched with relative ease. A quick look at a few Darknet marketplaces revealed no shortage of piles of leaked account credentials for sale.
A hacker with the handle peace_of_mind (he nailed it on irony) is selling social media account credentials. The hacker has a very high reputation of being legitimate, with solid ratings on several Darknet sights.
I decided to do a quick verification of what I found. I obtained some sample accounts from peace_of_mind by confirming and checking his public PGP keys and fingerprints with the data. I also searched around some to determine what he has posted under his user account on a few different sites. I also went back a bit as far as history, and it appears he has been at it for a while.
I was also able to examine a few accounts from different social media sites (such as Twitter and LinkedIn), verifying several accounts as valid. Mind you, this was simply an account check. I remain chaste and pure in thought and deed.
Here’s the real deal…legitimate account credentials are simply out in the wild. I wonder if we realize just how pervasive or large of an issue this is, so here’s the dilly and sweets (that was for you Archer fans, although it was somewhat obscure…hint: Charles and Rudy):
But wait, there’s more! The same user is selling 167 million LinkedIn accounts for 2.0 Bitcoins (roughly $1200 USD)!
How legitimate are these ‘products’? I saw several postings on other hacker sites from members having very high reputations. Those posts consistently gave peace_of_mind good feedback as far as delivering what was promised. Known entities who have been verified as legitimate are saying he has what he advertises:
This individual is also selling media accounts from services such as HBOGo, Netflix, WWE Network, MLB Network, Hulu+, and others:
So…where does this leave us?
Many businesses rely on social media. Hundreds of millions of people around the globe myself included, use social media for…well….socializing (albeit electronically). Most of us regularly use media streaming accounts.
So of course, I have some recommendations.
- Regularly change your passwords. If you reset all your sites to the same one, well…I guess that is better than never changing them. Just periodically do it.
- Watch and heed the news about social media. When something like this happens, change your passwords.
- When you think something funny is going on in any of your accounts…change your passwords.
- I feel like I need to say ‘password’ again.
The bottom line is this: keep your login credentials under your control instead of letting them be a commodity on the Darkweb.
It isn’t really all that difficult.