[wallywax]

Hmm. Perhaps that explains why I got an email from them saying my account was compromised. Specifically, it said "Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account." It then went on to imply that I was phished, which is extremely unlikely (not only am I incredibly paranoid about that kind of thing, but I haven't actually entered my Twitter password on any website in a long time. I just use the mobile app on my phone.)

[Firehed]

Likewise.

I got a similar message several months back, but that wasn't part of a larger leak; apparently some website I'd used a while ago had been compromised and I was using my throwaway password on Twitter at the time. Suffice to say, it's using a real one now - fifty-some-odd characters of random garbage generated and stored by 1Password. It's never been used anywhere else, so getting this email a second time just now was quite a shock (this time, my reaction was "really guys, again?" rather than "wtf?")

To their credit, they caught the first instance crazy-fast (my password had been reset automatically within about five mintes of a rogue tweet, though not before a friend texted me about it). This time I didn't see any activity at all, so I assume it was more proactive.

I'd still like an MFA option, especially with how infrequently I actually log in to twitter. However, I do like the "check your OAuth grants" page you're taken to after changing your password.

[wiredfool]

Me too, and I've never attached an app to twitter. (I've got an account that I basically have signed into 3 or 4 times in 5 years). I'm curious why my username came up as being compromised, unless they're doing something sneaky about updating all passwords older than x yrs old.

edit: The attacker got salted password hashes. That explains it.

[0x0]

Maybe they stopped the hackers in the middle of dumping the database and they only got away with the earliest accounts created.

[kape]

Got also the message. My account was created in January 2007 and user id is about 700k. So this could be the case.

[wiredfool]

Iirc, my usernumber is ~ 700k. So, probably an early version of the hash, unless they silently upgrade on logins.

[irq]

I just got the reset email, and my uid is in the 3.8 million range, created 4/2007.

[wallywax]

Could be. My account dates from 2006, and my userid is sub 50k.

[taligent]

Or more likely the database is sharded and they just compromised those physical machines.

[0x0]

That sounds odd, 250k out of 500m sounds like way too little data for even a single shard, no? And why would only a single shard be vulnerable?

[sidupadhyay]

Yup, just got the same email. I really wish they had linked to the blog post and explained the situation in more details instead of using the standard email template. It's interesting though that one of the recommendations was to revoke access to third-party apps.