Twitter responded to widespread reports of security breaches and leaked passwords with a blog post by trust and information security officer Michael Coates.
Coates wrote that Twitter investigated recent claims of user names and passwords for sale, and it found that the information was not obtained by hacking its servers:
The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both. Regardless of origin, we’re acting swiftly to protect your Twitter account.
In each of the recent password disclosures, we cross-checked the data with our records. As a result, a number of Twitter accounts were identified for extra protection. Accounts with direct password exposure were locked and require a password reset by the account owner.
Coates also detailed the measures Twitter takes to keep its users’ account secure, including the use of HTTPS throughout its network and on emails from Twitter.com, securing account credentials via bcrypt and:
We also protect access to accounts by evaluating items such as location, device being used and login history to identify suspicious account access or behavior. In situations where your password has been directly exposed, you are sent a password reset notification; your account is protected until the owner of the email or phone number resets the password.
For users whose passwords may have been compromised, Coates wrote:
If your Twitter information was impacted by any of the recent issues– because of password disclosures from other companies or the leak on the “dark web”–then you have already received an email that your account password must be reset. Your account won’t be accessible until you do so, to ensure that unauthorized individuals don’t have access.
Finally, he offered the following ways that users can help secure their accounts:
- Enable login verification (e.g., two-factor authentication). This is the single best action you can take to increase your account security.
- Use a strong password that you don’t reuse on other websites.
- Use a password manager such as 1Password or LastPass to make sure you’re using strong, unique passwords everywhere.
Readers: Were any of your Twitter passwords compromised?
Image courtesy of Shutterstock.