June 8th, 2016

Preface

Twitter credentials are being traded in the tens of millions on the dark web. LeakedSource has obtained and added a copy of this data to its ever-growing searchable repository of leaked data. This data set was provided to us by a user who goes by the alias "[email protected]", and has given us permission to name them in this blog.

LeakedSource is a search-engine capable of searching over 1.8 billion leaked records -- an aggregation of data from hundreds of disparate sources. We have been able to accumulate this data over a relatively short period of time through a combination of deep-web scavenging and rumor-chasing. Occasionally these efforts lead to major discoveries (e.g. Myspace.com, LinkedIn.com, Badoo.com), but we really aren't too picky. If we come across a leaked database from a company that most people haven't heard of, we will incorporate it into our master database just the same.

You may search for yourself in the leaked Twitter.com credentials by visiting our homepage. If your personal information appears in our copy of the Twitter credentials, or in any other leaked database that we possess, you may remove yourself for free

Since embarking on this ambitious project just a handful of months ago, we have processed an unbelievable amount of data. Much more than we expected, more than most large companies will ever house -- and we're just getting started. LeakedSource may soon become synonymous with Big Data, so don't miss out!

Anyone may use the information on this page for free in any capacity provided LeakedSource is given credit and a link back.

LeakedSource does not engage in, encourage or condone unlawful entry ("hacking") into private systems.

Summary

This data set contains 32,888,300 records. Each record may contain an email address, a username, sometimes a second email and a visible password. We have very strong evidence that Twitter was not hacked, rather the consumer was. These credentials however are real and valid. Out of 15 users we asked, all 15 verified their passwords.

The explanation for this is that tens of millions of people have become infected by malware, and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites including Twitter.

The proof for this explanation is as follows:

The join dates of some users with uncrackable (yet plaintext) passwords were recent. There is no way that Twitter stores passwords in plaintext in 2014 for example.

There was a very significant amount of users with the password "<blank>" and "null". Some browsers store passwords as "<blank>" if you don't enter a password when you save your credentials.

The top email domains don't match up to a full database leak, more likely the malware was spread to Russians.

Also we triple checked, Mark Zuckerberg isn't in this data set. We have attempted to contact Twitter to provide them some more information but have not heard back yet. The lesson here? It's not just companies that can be hacked, users need to be careful too.

API

After the last breach we received many requests for API access, and we are launching a business API with a consumer one to follow in the near future. You can read about the API features at our API page

Passwords

Passwords were stolen directly from consumers, therefore they are in plaintext with no encryption or hashing. Remember that Twitter probably doesn't store the passwords in plaintext, Chrome and Firefox did.

For subscribed LeakedSource users, we are only displaying the first 3 characters of passwords, with a form that will allow you to validate if yours was leaked until Twitter responds to us. Anybody can verify that this form does not transmit any password information to LeakedSource, the verification is done by your browser.

The following table shows the top passwords used by Twitter.com users affected by malware.

Rank	Password	Frequency
1	123456	120,417
2	123456789	32,775
3	qwerty	22,770
4	password	17,471
5	1234567	14,401
6	1234567890	13,799
7	12345678	13,380
8	123321	13,161
9	111111	12,138
10	12345	11,239
11	123123	11,099
12	9-11-1961	10,444
13	9111961	10,231
14	000000	10,124
15	666666	9,264
16	555555	8,586
17	1q2w3e4r5t	8,386
18	654321	8,358
19	1234	8,257
20	gfhjkm	7,773
21	7777777	7,659
22	222222	6,696
23	cepetsugih	6,603
24	777777	6,539
25	999999	6,428
26	112233	6,398
27	1q2w3e4r	6,178
28	888888	5,784
29	333333	5,772
30	qwerty123	5,666
31	iloveyou	5,443
32	exigent	5,355
33	159753	5,063
34	123qwe	4,934
35	abc123	4,816
36	qwertyuiop	4,797
37	1qaz2wsx	4,753
38	1q2w3e	4,493
39	qqww1122	4,244
40	pakistan	4,001
41	987654321	3,926
42	qwe123	3,597
43	samsung	3,351
44	q1w2e3r4	3,271

Emails

Simple table of top email domains. Clearly Russian consumers download bad things. 3,022 emails end in *.gov

Rank	Email Domain	Frequency
1	@mail.ru	5,028,220
2	@yahoo.com	4,714,314
3	@hotmail.com	4,520,434
4	@gmail.com	3,302,205
5	@yandex.ru	1,020,757
6	@aol.com	586,661
7	@rambler.ru	428,084
8	@bk.ru	374,855
9	@list.ru	291,403
10	@inbox.ru	260,957
11	@hotmail.fr	196,206
12	@hotmail.co.uk	193,357
13	@msn.com	188,220
14	@live.com	163,167
15	@comcast.net	145,737
16	@yahoo.co.uk	104,183
17	@ymail.com	99,358
18	@yahoo.fr	85,964
19	@sbcglobal.net	84,830
20	@ukr.net	78,879
21	@yahoo.co.in	72,953
22	@web.de	67,010
23	@yahoo.co.id	62,247
24	@libero.it	60,294
25	@ya.ru	57,080
26	@naver.com	50,417
27	@hotmail.it	48,639
28	@live.fr	48,179
29	@gmx.de	47,117
30	@rocketmail.com	46,162
31	@cox.net	43,500
32	@bellsouth.net	42,586
33	@hotmail.de	39,703
34	@rediffmail.com	38,585
35	@yahoo.com.br	36,880
36	@att.net	35,654
37	@live.co.uk	35,624
38	@verizon.net	33,651
39	@btinternet.com	31,914
40	@yahoo.de	27,588
41	@inbox.lv	26,478
42	@aim.com	26,325
43	@googlemail.com	25,507
44	@i.ua	24,779
45	@earthlink.net	23,475

Preface

Table of Contents

Summary

API

Passwords

Emails