According to multiple sources, there is a list of 32 Million Twitter username + passwords for sale on the dark web. This happened despite twitter stating that they have NOT had a breach.
It’s quite unlikely that all of the passwords listed in the database for sale will allow hackers to break into Twitter accounts.
32 Millions Twitter Accounts for Sale on the Dark Web
Whether that is because the details are just incorrect or that some of the data is stale and out-of-date is unclear. But if users were or are using the same password for different online accounts associated with the same username or email address they definitely continue to present a risk.
The simple truth is, that we just don’t know what proportion of the passwords listed in this database are accurate. The only company who can really confirm the quality of the stolen data is Twitter itself.
It is suspected (and sort of confirmed by Twitter) that these 32 million accounts are re-used usernames + password from other breaches. So if you’ve re-used your username and/or password, we suggest that you change them NOW.
Twitter Security Officer on the record
Michael Coates, Trust & Info Security Officer @Twitter tweeted:
We have investigated reports of Twitter usernames/passwords on the dark web, and we're confident that our systems have not been breached.
— Michael Coates ஃ (@_mwc) June 9, 2016
The theory that password re-use might be the cause is backed up by a recently released security article from twitter:
We’ve investigated claims of Twitter @names and passwords available on the “dark web,” and we’re confident the information was not obtained from a hack of Twitter’s servers.
The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both. Regardless of origin, we’re acting swiftly to protect your Twitter account.
In each of the recent password disclosures, we cross-checked the data with our records. As a result, a number of Twitter accounts were identified for extra protection. Accounts with direct password exposure were locked and require a password reset by the account owner.
Recommendation: If you re-used a username and/or password, first, change it on twitter, then associate your phone number with your account for 2-factor verification by twitter if they notice something amiss with your account.