Late last week, a password leak hit Twitter, and the company locked millions of user accounts as a result.
It was reported that the login credentials of more than 32 million Twitter users were compromised. According to LeakedSource, which indexes hacked credentials from data breaches, the credentials are being traded on the Dark Web for about 10 bitcoin a pop or a little under $6,000.
LeakedSource goes on to note that passwords are stored as plain text files, and many seem to be attached to Russian users. That detail indicates that the passwords were stolen from users, as opposed to through a hack into Twitter’s central systems.
In response to the leak, Twitter quickly initiated forced resets for many of its users.
As Fortune reported, Twitter remains adamant that its systems were not breached. But either way, the validity of many of the credentials led the company to react by locking down a number of accounts until the owners manually reset their passwords.
“The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites or a combination of both,” Michael Coates, trust and information security officer for Twitter, wrote in a blog post.
Coates went on to explain that, with so many other breaches taking place, it’s easy for hackers to mine the exposed data and automatically look to see if the credentials work for other sites as well.
“If a person used the same username and password on multiple sites, then attackers could, in some situations, automatically take over their account. That’s why a breach of passwords associated with website X could result in compromised accounts at unrelated website Y,” he added.