Want CNET to notify you of price drops and the latest stories?

Thousands of Twitter passwords exposed

It's unclear who's responsible for posting passwords for Twitter accounts to a public Web site. The exact number of accounts is also unclear, as Twitter says many are duplicates and many had already been suspended.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

Twitter is investigating the release of what appear to be thousands of user account passwords and e-mail addresses.

"We are currently looking into the situation. In the meantime, we have pushed out password resets to accounts that may have been affected," Twitter spokesman Robert Weeks told CNET in an e-mail. "For those who are concerned that their account may have been compromised, we suggest resetting your passwords and more in our Help Center."

The user data, so vast that it took five Pastebin pages to post, was released yesterday and blogged about on Airdemon.net, putting the number of accounts affected at 55,000 or more. It's unclear who posted the data, and why.

Weeks disputed that estimate, noting that many of the passwords and accounts seemed like duplicates.

"It's worth noting that, so far, we've discovered that the list of alleged accounts and passwords found on Pastebin consists of more than 20,000 duplicates, many spam accounts that have already been suspended, and many log-in credentials that do not appear to be linked (that is, the password and username are not actually associated with each other)," he said.

The list does seem a bit odd, with many passwords that appeared to be robust, and a separation between e-mail addresses and user IDs that hacker Adrian Lamo noted on Twitter wasn't representative of a typical password dump.

We will update this story as we get more information.

Updated, 5:39 p.m. PT: Adds comment about list being odd.

Update May 9 at 12:02 p.m. PT: After Lamo and others found that at least some of the alleged account data had been posted on the Web last year and speculated that the list appeared to be compiled from various sources, including spam accounts, Twitter provided CNET this statement when asked for comment: "We've looked into this and can confirm that Twitter was not compromised. For extra precaution, yesterday, we pushed out password resets to accounts that may have been affected."