[Firehed]

Likewise.

I got a similar message several months back, but that wasn't part of a larger leak; apparently some website I'd used a while ago had been compromised and I was using my throwaway password on Twitter at the time. Suffice to say, it's using a real one now - fifty-some-odd characters of random garbage generated and stored by 1Password. It's never been used anywhere else, so getting this email a second time just now was quite a shock (this time, my reaction was "really guys, again?" rather than "wtf?")

To their credit, they caught the first instance crazy-fast (my password had been reset automatically within about five mintes of a rogue tweet, though not before a friend texted me about it). This time I didn't see any activity at all, so I assume it was more proactive.

I'd still like an MFA option, especially with how infrequently I actually log in to twitter. However, I do like the "check your OAuth grants" page you're taken to after changing your password.