A recent report stating that 32 million Twitter account were hacked prompted Twitter to respond. The company denied that its servers have been hacked, but it said that the accounts that have had their passwords leaked will be locked anyway. Affected users will be prompted to reset their passwords.
Twitter said that considering it has seen no evidence of its servers being hacked, it believes that the 32 million leaked Twitter accounts may have been hacked with user credentials exposed in other data breaches or stolen by malware infecting users’ machines.
Many people reuse their passwords for other sites, which is why security experts recommend using a password manager with a strong master password as an alternative to reusing passwords or having to remember dozens of them.
Recently, it was reported that some hackers were trying to sell 117 million Linkedin accounts that were obtained in the 2012 data breach. However, at the time, only 6.5 million accounts were posted online, so the breach was thought to be much smaller.
Twitter cross-checked the leaked accounts with its own database of users and identified which ones it can lock and prompt the users to reset their passwords. However, in many of these cases, it’s possible that people were using the same password for both their leaked email account and their Twitter account. This means that the new passwords could be obtained by the hackers, as well.
Twitter said that it takes security seriously and proved as much by adopting HTTPS for all of its services, and it uses bcrypt to encrypt passwords--which is an industry best practice. The company also uses other identifiers, such as location and login history, to determine whether there’s any suspicious behavior when someone tries to log in.
If you don’t want your Twitter account, or any other important service you may be using, to be hacked, then it’s best to use a password manager and to enable two-factor authentication (Twitter calls it login verification). Then, even if the password is stolen, and even if it wasn’t properly encrypted by the service provider, the hacker still can’t get in without the second-factor code.
Lucian Armasu is a Contributing Writer for Tom's Hardware. You can follow him at @lucian_armasu.