The company said the information was not obtained from a hack of its servers, and speculated that the information may have been gathered from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both.
“In each of the recent password disclosures, we cross-checked the data with our records. As a result, a number of Twitter accounts were identified for extra protection. Accounts with direct password exposure were locked and require a password reset by the account owner,” Twitter’s Trust & Information Security Officer, Michael Coates said in a blog post on Friday.
Millions of users have been notified by Twitter that their accounts are at risk of being taken over, reported the Wall Street Journal on Thursday. The company did not specify to the newspaper how many users were notified and forced to change their passwords but said that the total is in the millions.
Hacked information database LeakedSource revealed on Wednesday that it had acquired a database of 32.8 million records containing Twitter usernames, emails and passwords from a user who goes by the alias Tessa88@exploit.im., but there were questions from some experts as to the authenticity of the data.
The same user provided LeakedSource with names and passwords of alleged users of MySpace.com and VK.com.
“We have very strong evidence that Twitter was not hacked, rather the consumer was,” LeakedSource said. It pointed out that the passwords were in plain text with no encryption or hashing. Twitter said it used a password hashing function called bcrypt. The credentials are “real and valid” as out of 15 users asked, all 15 verified their passwords, LeakedSource said.