The hacker recently linked to attacks on social media sites such as MySpace, LinkedIn and Tumblr is at it again, offering millions of what are alleged to be Twitter usernames and passwords to anyone willing to pay.
The hacker, known as Tessa88, is asking 10 bitcoin, or just under $6,000, for what he or she claims are the log-in credentials for 379 million Twitter accounts.
That amounts to roughly .0015 cents per Twitter account, less than the .025-cent asking price for each of the 179 million compromised LinkedIn accounts.
Such low prices speak to the growing glut of stolen data, and analysts say the cost discrepancy between the Twitter and LinkedIn accounts offers clues about the ways cybercriminals think.
Hacks like this are often used by criminals as a doorway into bank accounts. By obtaining a database of usernames, email addresses and passwords, criminals can probe banking websites hoping victims use the same log-ins across the Web.
“There’s only so much you can get out of somebody’s username and password, but there’s a lot of ways you can monetize it,” said Rebekah Hall, a lead researcher at information security firm Rapid7.
If criminals get into a victim’s bank account, they often buy pre-paid debit cards, which are hard to track, or add recurring charges they hope will go unnoticed by banks, credit monitoring systems and the victims themselves.
But many Internet users are savvy enough to use different passwords, meaning criminals want access to lots of accounts – and they want them cheap.
That said, they may choose to pay an extra fraction of a cent for accounts containing more valuable data.
In this case, a LinkedIn account is worth more to hackers because of the type of information it contains. Unlike Twitter, where many users choose avatars, a LinkedIn account reveals what a potential victim does for a living. This helps criminals specifically target individuals likely to earn big salaries – perhaps the kind less prone to notice small unfamiliar charges on their bank statements.
“The more I reveal what I do, the picture becomes less about my identity [and] more about value on the black market because it has credit card implications,” said Ori Eisen, chief executive of Trusona, a company that protects online assets.
So what can companies like LinkedIn and Twitter do to prevent future hacks?
Hemanshu Nigam, the CEO of SSP Blue and former head of cybersecurity for MySpace, said that while some things are out of the companies’ hands, they need to remind users to regularly change passwords and educate them of potential threats.
“Hackers are always looking for ways to get in,” he said. Companies “have databases containing highly sensitive information. They need to treat it like money in a bank vault.”
Twitter says the data was not obtained via a breach and said it was investigating the leak. LinkedIn advised users to check its website to make sure users have two-step verification and strong passwords.
In the wake of high-profile hacks that included the NFL’s Twitter account and Facebook founder Mark Zuckerberg’s accounts on Twitter and Pinterest, critics have wondered if there’s going to be a point where personal data becomes nearly worthless because it’s so readily available.
“The milk has already been spilled,” said Eisen.
The only way for users to protect themselves, he says, is for tech firms to move from traditional passwords toward a system that asks different prompts at each log-in – like how Facebook asks users to identify photos of their friends when they log in on unfamiliar devices.
2:51 p.m.: This article was updated with additional staff reporting.
This article was originally published at 8:13 a.m.