Following news late Wednesday that login credentials for as many as 32 million Twitter accounts were being traded on the dark web, the company has responded by locking a number of the accounts and sending affected users emails prompting them to reset their password.
Twitter insisted in a blog post the stolen names and passwords had not been taken as a result of a hack on its servers, claiming instead that they “may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both.”
Indeed, LeakedSource, which on Thursday revealed news of the Twitter leak, said the information may have been nabbed using malware on “tens of millions” of computers that “sent every saved username and password from browsers like Chrome and Firefox back to the hackers.”
Twitter said it’s been working with LeakedSource to cross-check the data with its own records. “As a result, a number of Twitter accounts were identified for extra protection. Accounts with direct password exposure were locked and require a password reset by the account owner.”
It’s not known exactly how many users have been told to take action, though the company told the Wall Street Journal that it was “in the millions.”
A slew of celebrities have recently had their Twitter accounts compromised, though a hacker claiming responsibility said this week that they were doing it merely to raise awareness for internet security. Having examined the leaked data for the 32 million accounts, LeakedSource revealed the most popular password as “123456,” indicating the hacker may have a point.
Whether or not you’ve received an email from Twitter, now is as good a time as any to change your password, for peace of mind if nothing else. The microblogging site offered a few tips in its post:
- Enable login verification (e.g. two factor authentication). This is the single best action you can take to increase your account security.
- Use a strong password that you don’t reuse on other websites.
- Use a password manager such as 1Password or LastPass to make sure you’re using strong, unique passwords everywhere.