The hacker recently linked to attacks on social media sites such as MySpace, LinkedIn and Tumblr is at it again, offering millions of what are alleged to be Twitter usernames and passwords to anyone willing to pay.
The hacker, known as Tessa88, is asking 10 bitcoin, or just under $6,000, for what he or she claims are the log-in credentials for 379 million Twitter accounts.
That amounts to roughly .0015 cents per Twitter account, less than the .025-cent asking price for each of the 179 million compromised LinkedIn accounts.
Such low prices speak to the growing glut of stolen data, and analysts say the cost discrepancy between the Twitter and LinkedIn accounts offers clues about the ways cybercriminals think.
Hacks like this are often used by criminals as a doorway into bank accounts. By obtaining a database of usernames, email addresses and passwords, criminals can probe banking websites hoping victims use the same log-ins across the Web.
“There’s only so much you can get out of somebody’s username and password, but there’s a lot of ways you can monetize it,” said Rebekah Hall, a lead researcher at information security firm Rapid7.
If criminals get into a victim’s bank account, they often buy pre-paid debit cards, which are hard to track, or add recurring charges they hope will go unnoticed by banks, credit monitoring systems and the victims themselves.
But many Internet users are savvy enough to use different passwords, meaning criminals want access to lots of accounts – and they want them cheap.
That said, they may choose to pay an extra fraction of a cent for accounts containing more valuable data.
In this case, a LinkedIn account is worth more to hackers because of the type of information it contains. Unlike Twitter, where many users choose avatars, a LinkedIn account reveals what a potential victim does for a living. This helps criminals specifically target individuals likely to earn big salaries – perhaps the kind less prone to notice small unfamiliar charges on their bank statements.
“The more I reveal what I do, the picture becomes less about my identity [and] more about value on the black market because it has credit card implications,” said Ori Eisen, chief executive of Trusona, a company that protects online assets.
So what can companies like LinkedIn and Twitter do to prevent future hacks?