Twitter: We weren't hacked but we're forcing password resets after 32 million credentials leak

Twitter's security team is confident that millions of leaked usernames and passwords were not stolen from its servers.
Written by Liam Tung, Contributing Writer

Twitter says credentials may have been collected by password-stealing malware installed on victims' machines.

Image: Twitter

Twitter says this week's reported leak of 32 million of the site's user names and passwords wasn't the result of a breach of its servers. But it's now responded by locking some exposed accounts and requiring users to pick new passwords.

"We've investigated claims of Twitter @names and passwords available on the dark web and we're confident the information was not obtained from a hack of Twitter's servers," Michael Coates, Twitter's trust and information security officer, said on Friday.

News broke on Thursday that 32 million Twitter passwords were being traded on the dark web, making it the latest in a string of mega password leaks over the past month, affecting MySpace, LinkedIn, and Tumblr users. Combined, the leaks amount to well over half a billion records.

Coates said other possible explanations for the purported Twitter password leak include hackers combining information from these recent breaches. Alternatively, the passwords may have been exposed due to password-stealing malware installed on victims' machines.

Passwords for MySpace, LinkedIn, and Tumblr were similarly being sold on dark web trading sites. In each case the leaks stemmed from breaches that occurred several years ago, but remained unpublished until the past month.

"In each of the recent password disclosures, we cross-checked the data with our records. As a result, a number of Twitter accounts were identified for extra protection. Accounts with direct password exposure were locked and require a password reset by the account owner," Coates said.

Breach notification site LeakedSource, which has obtained the Twitter list, also said it was unlikely Twitter was breached, speculating that malware on victims' machines explained how the passwords were exposed.

Coates said Twitter was working with LeakedSource to obtain a copy of the password dump.

Twitter told the Wall Street Journal that it has forced "millions" of users to change their passwords, but added that millions more are invalid.

Facebook and Netflix have also forced some users to reset passwords after cross-checking leaked data against internal records. This checking is conducted by comparing the hash of passwords, a mathematical representation of the password, in the leaked files with the hash of user passwords stored on the companies' servers.

Affected Twitter users should have already received an email from the social-media company requiring a password reset. Those accounts have been locked down until the user takes action.

Coates advised Twitter users to bolster the security of their accounts by enabling login verification or two-step verification.

Once activated, Twitter requires a six-digit code to be entered at login, which it sends to users via SMS. And, advice that's been repeated numerous times over the past month.

Read more about Twitter

Editorial standards