On Friday night, hundreds of thousands of Twitter users had their passwords compromised, where Twitter had to send out password reset notifications to 250,000 users. That includes my Twitter account @rustybrick.
It wasn't the first time and I am one of those paranoid password people that won't click on links from emails or considers almost all emails to be suspicious. Twitter explained that this attack wasn't user's fault, they said:
This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.
As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts. If your account was one of them, you will have recently received (or will shortly) an email from us at the address associated with your Twitter account notifying you that you will need to create a new password. Your old password will not work when you try to log in to Twitter.
It is just crazy how passwords these days are simply not secure. Personally, I think every site should offer a two-factor authentication option. Although, it isn't always cheap for the site owner and easy for the end user to use. I am boggled why my bank doesn't offer two-factor but whatever.
A WebmasterWorld thread has one user saying the passwords have yet to be leaked to Torrent sites yet. Maybe in time or maybe it was a bit beyond Torrent level hacking?
Note, if you use that password on other sites, you probably want to change that password everywhere.
Forum discussion at WebmasterWorld.