Twitter recently put millions of users on notice to reset their passwords after the company learned that passwords were, somehow, available on the Dark Web. But Twitter contends — and it’s very plausible — that these passwords were not pilfered from Twitter’s servers.
According to this Twitter blog post, the “purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both. Regardless of origin, we’re acting swiftly to protect your Twitter account.”
“In each of the recent password disclosures, we cross-checked the data with our records. As a result, a number of Twitter accounts were identified for extra protection. Accounts with direct password exposure were locked and require a password reset by the account owner,” the post continued.
According to this Wall Street Journal report, the number of passwords available on the Dark Web reaches 33 million.
Twitter provides a few password safety tips, and they are a good idea for everyone:
- Enable login verification (e.g. two-factor authentication). This is the single best action you can take to increase your account security.
- Use a strong password that you don’t reuse on other websites.
- Use a password manager such as 1Password or LastPass to make sure you’re using strong, unique passwords everywhere.
I’d like to add another tip. In addition to using strong passwords — and not reusing them across sites – don’t reuse usernames either. And try to create usernames that aren’t associated with you, such as your actual name or widely used email address. It’s a good idea to treat your username as a password. Because it is. It’s another piece of the key to access an account.
Those who don’t manage their passwords in this way aren’t alone. In fact they have famous company. Last week, according to this Wall Street Journal story, Facebook chief executive Mark Zuckerberg discovered his Twitter and Pinterest accounts were breached because he reused the password “dadada.”