Twitter Resets Passwords But Denies Server Hack Took Place

Twitter has locked accounts of users whose passwords were exposed in a database of up to 32 million login details, but continues to deny credentials were obtained in an attack on its servers.

An information dump of more than 32 million accounts, including email addresses, usernames and passwords in plain text, was uploaded by breach notification website LeakedSource earlier this week.

Michael Coates, trust and information security officer at Twitter, said the company had investigated reports of a breach and analysed the data involved and decided to take measures to protect the security of its user base.

Twitter password breach

“We’ve investigated claims of Twitter @names and passwords available on the ‘dark web,’ and we’re confident the information was not obtained from a hack of Twitter’s servers,” he said.

“The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both. Regardless of origin, we’re acting swiftly to protect your Twitter account.

“In each of the recent password disclosures, we cross-checked the data with our records. As a result, a number of Twitter accounts were identified for extra protection. Accounts with direct password exposure were locked and require a password reset by the account owner.”

Coates added that Twitter used HTTPS encryption and stored credentials using bcrypt and that location, device and login history details were used to identify suspicious behaviour. If it believes credentials are exposed – it sends a password reset notification. He suggested Twitter users have a strong password that isn’t used for any other site and use a password manager like LastPass – although that service had had its own security issues in the past.

Password woes

“If your Twitter information was impacted by any of the recent issues – because of password disclosures from other companies or the leak on the ‘dark web’– then you have already received an email that your account password must be reset,” Coates added.

“Your account won’t be accessible until you do so, to ensure that unauthorized individuals don’t have access.”

Recently, LinkedIn was forced to invalidate the passwords of over 100 million user accounts after a hacker allegedly put the details up for sale online.

The breach even affected Facebook CEO Mark Zuckerberg, who apparently used the same login information for his LinkedIn account as several other social media pages, allowing hackers to gain access to his Pinterest and Twitter accounts.

Facebook and Netflix, neither of whom have suffered any recent breach, have reset some passwords amid concerns that login details leaked in other attacks were also used to access their sites.

Are you a security guru? Try our quiz!