Keeping your account safe

Friday, 10 June 2016

Account security is a top priority at Twitter. Over the past days and weeks we’ve responded to several issues, including reports of leaked Twitter @names and passwords as well as potential collateral damage from the numerous breaches of other websites. I’d like to share more information about how we protect your account, and the challenges all websites face whenever another website is breached.

What’s been happening

We’ve investigated claims of Twitter @names and passwords available on the “dark web,” and we’re confident the information was not obtained from a hack of Twitter’s servers.

The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both. Regardless of origin, we’re acting swiftly to protect your Twitter account.

In each of the recent password disclosures, we cross-checked the data with our records. As a result, a number of Twitter accounts were identified for extra protection. Accounts with direct password exposure were locked and require a password reset by the account owner.

How we keep Twitter secure every day

We use a variety of methods to protect Twitter and your accounts on an ongoing basis. This includes the fundamentals like use of HTTPS everywhere and security for email from twitter.com. And as we’ve mentioned before, we secure account credentials using bcrypt.

We also protect access to accounts by evaluating items such as location, device being used, and login history to identify suspicious account access or behaviour. In situations where your password has been directly exposed, you are sent a password reset notification; your account is protected until the owner of the email or phone number resets the password.

What should you do?

If your Twitter information was impacted by any of the recent issues – because of password disclosures from other companies or the leak on the “dark web” – then you have already received an email that your account password must be reset. Your account won’t be accessible until you do so, to ensure that unauthorised individuals don’t have access.

Here are a few steps you can take to keep your Twitter account safe:

  1. Enable login verification (e.g. two factor authentication). This is the single best action you can take to increase your account security.
  2. Use a strong password that you don’t reuse on other websites.
  3. Use a password manager such as 1Password or LastPass to make sure you’re using strong, unique passwords everywhere.

The Challenges of Password Breaches

Security is a challenging area and Twitter works very hard every day to protect your account, our data, and our systems. The recent prevalence of data breaches from other websites is challenging for all websites – not just those breached. Attackers mine the exposed username, email and password data, leverage automation, and then attempt to automatically test this login data and passwords against all top websites. If a person used the same username and password on multiple sites then attackers could, in some situations, automatically take over their account. That’s why a breach of passwords associated with website X could result in compromised accounts at unrelated website Y.

When so many breaches are announced in a short window of time, it may be natural to assume that any mention of “another breach” is true and valid. Nefarious individuals leverage this environment in order to either bundle old breached data or repackage accounts from a variety of breaches, and then claim they have login information and passwords for website Z. We take security concerns seriously, and investigate issues as they arise, but everyone should also scrutinise the merits of any credential claim. We’re always focused on the issues that present a real threat to account security.