Skip to main content

Twitter locks millions of accounts following massive password leak

twitter keyword filter abuse version 1477952559 man holding iphone 6 with on the screen
prykhodov/123RF
Following news late Wednesday that login credentials for as many as 32 million Twitter accounts were being traded on the dark web, the company has responded by locking a number of the accounts and sending affected users emails prompting them to reset their password.

Twitter insisted in a blog post the stolen names and passwords had not been taken as a result of a hack on its servers, claiming instead that they “may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both.”

Indeed, LeakedSource, which on Thursday revealed news of the Twitter leak, said the information may have been nabbed using malware on “tens of millions” of computers that “sent every saved username and password from browsers like Chrome and Firefox back to the hackers.”

Twitter said it’s been working with LeakedSource to cross-check the data with its own records. “As a result, a number of Twitter accounts were identified for extra protection. Accounts with direct password exposure were locked and require a password reset by the account owner.”

It’s not known exactly how many users have been told to take action, though the company told the Wall Street Journal that it was “in the millions.”

A slew of celebrities have recently had their Twitter accounts compromised, though a hacker claiming responsibility said this week that they were doing it merely to raise awareness for internet security. Having examined the leaked data for the 32 million accounts, LeakedSource revealed the most popular password as “123456,” indicating the hacker may have a point.

Whether or not you’ve received an email from Twitter, now is as good a time as any to change your password, for peace of mind if nothing else. The microblogging site offered a few tips in its post:

  • Enable login verification (e.g. two factor authentication). This is the single best action you can take to increase your account security.
  • Use a strong password that you don’t reuse on other websites.
  • Use a password manager such as 1Password or LastPass to make sure you’re using strong, unique passwords everywhere.

Need help creating an effective password? Then you might want to try this. Or, as Twitter suggests, use a password manager.

Editors' Recommendations

Trevor Mogg
Contributing Editor
Not so many moons ago, Trevor moved from one tea-loving island nation that drives on the left (Britain) to another (Japan)…
LastPass reveals how it got hacked — and it’s not good news
A depiction of a hacker breaking into a system via the use of code.

Last year was a particularly bad one for password manager LastPass, as a series of hacking incidents revealed some serious weaknesses in its supposedly rock-solid security. Now, we know exactly how those attacks went down -- and the facts are pretty breathtaking.

It all began in August 2022, when LastPass revealed that a threat actor had stolen the app’s source code. In a second, subsequent attack, the hacker combined this data with information found in a separate data breach, then exploited a weakness in a remote-access app used by LastPass employees. That allowed them to install a keylogger onto the computer of a senior engineer at the company.

Read more
This huge password manager exploit may never get fixed
A large monitor displaying a security hacking breach warning.

It’s been a bad few months for password managers -- albeit mostly just for LastPass. But after the revelations that LastPass had suffered a major breach, attention is now turning to open-source manager KeePass.

Accusations have been flying that a new vulnerability allows hackers to surreptitiously steal a user’s entire password database in unencrypted plaintext. That’s an incredibly serious claim, but KeePass’s developers are disputing it.

Read more
This Twitter vulnerability may have revealed owners of burner accounts
Twitter app on the OnePlus 10T.

Twitter recently announced the existence of a security vulnerability that poses a particular risk for anonymous and pseudonymous Twitter accounts.

On Friday, the popular social media platform published a blog statement describing the nature of the security vulnerability, which, if exploited, could let someone send contact information (phone numbers, email addresses) to Twitter's systems, which would then "tell the person what Twitter account the submitted email addresses or phone number are associated with, if any." Essentially, with this bug, if you had someone's contact information, you could use it to figure out which accounts on Twitter were theirs.

Read more