Twitter Wasn't Hacked, But You're at Risk Unless You Do This
Those 32 million Twitter passwords were stolen from individual users, not Twitter itself. Here's how to make sure it doesn't happen to you.
[UPDATED 12:40 p.m. ET June 10 with comment from Twitter regarding reset passwords.]
No, Twitter has not been hacked, despite what you might be reading online or seeing on TV.
It's true that about 32 million sets of login credentials — i.e., usernames and passwords — for Twitter accounts are being sold on cybercriminal websites. But those credentials were probably collected one by one from individual Twitter users whose desktop Web browsers had been infected by malware, not from Twitter itself.
"We have very strong evidence that Twitter was not hacked," said LeakedSource, the website that revealed the data dump, in a blog post Wednesday (June 8). "Rather, the consumer was."
"The explanation for this is that tens of millions of people have become infected by malware," the post added, "and the malware sent every saved username and password from browsers like Chrome and Firefox back to the hackers from all websites, including Twitter."
MORE: Best Antivirus Software and Apps
"We are confident that these usernames and credentials were not obtained by a Twitter data breach," a Twitter spokesperson told TechCrunch.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
[UPDATE: In a Twitter blog posting early today (June 10), Twitter security office Michael Coates explained that Twitter was locking affected accounts and sending email messages notifying users of those accounts that they needed to reset their passwords.
"The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both," Coates wrote. "Regardless of origin, we're acting swiftly to protect your Twitter account.
"In each of the recent password disclosures, we cross-checked the data with our records," he added. "As a result, a number of Twitter accounts were identified for extra protection. Accounts with direct password exposure were locked and require a password reset by the account owner."
Coates also reaffirmed that Twitter stores user passwords hashed with the very strong Bcrypt algorithm, which, as of yet, no one has been able to reverse.]
The upshot is that you should never let your web browsers save login credentials for important accounts, such as social networking, bank or other online financial accounts, webmail or online retail accounts such as Amazon.
Chrome and Firefox store login credentials in plain text, making them ripe targets for hackers. Internet Explorer, to Microsoft's credit, stores then in encrypted form in a separate application.
If remembering passwords is a pain, use a dedicated password manager, such as LastPass or Dashlane, that encrypts and protects your passwords much more securely than a web browser can. And don't forget to enable two-factor authentication on every account that allows it.
How to delete sensitive login credential from your web browsers
Google Chrome:
1) Click the stacks icon at the extreme right of the Chrome toolbar.
2) Scroll down to Settings and click.
3) On the Setting page, scroll down to and click "Show advanced settings."
4) Scroll down to "Passwords and forms."
5) Click Manage passwords.
6) Scroll through the list of accounts and hover over any account that pertains to social networking, banking, online shopping or webmail. This would include Google, Facebook, Amazon, Twitter, LinkedIn, Instagram, Dropbox and iCloud. You might want to remove Netflix as well.
7) Click Done at the bottom of the pop-up window.
Mozilla Firefox:
1) Click the stacks icon at the extreme right of the Firefox toolbar.
2) Click the gear icon marked Options.
3) Click Security in the left navigation column in the resulting window.
4) Click on the Saved Logins button.
5) Scroll through the list of accounts and look for any account that pertains to social networking, banking, online shopping or webmail. This would include Google, Facebook, Amazon, Twitter, LinkedIn, Instagram, Dropbox and iCloud. You might want to remove Netflix as well.
6) Select each sensitive account and click Remove.
7) Click Close.
Internet Explorer on Windows 7 doesn't let you remove individual credentials, but does let you remove them all at once.
1) Click the gear icon at the extreme right of the Firefox toolbar.
2) Scroll down to and click Internet Options
3) Select the Content tab.
4) In the AutoComplete section, click the Settings button.
5) Make sure that "Ask me before saving passwords" is selected.
6) Click the button marked "Delete AutoComplete history."
7) Click the OK button.
Internet Explorer on Windows 8.1 and Windows 10 is easier to manage.
1) Type "Control Panel" into the Search field at the bottom left of the Windows desktop.
2) Select "View by large icons" or "View by small icons" so that you can see individual items.
3) Select Credential Manager.
4) Select Web Credentials.
5) Scroll through the list of accounts and look for any account that pertains to social networking, banking, online shopping or webmail. This would include Google, Facebook, Amazon, Twitter, LinkedIn, Instagram, Dropbox and iCloud. You might want to remove Netflix as well.
6) Click the downward-pointing arrow next to each sensitive account to show the list of options for that account.
7) Click Remove.
Apple Safari:
1) Click the Safari item in the menu bar.
2) Scroll down and select Preferences.
3) Select the Passwords tab.
4) If you don't see a Passwords tab, select Autofill, then click the Edit button next to "User names and passwords."
5) Scroll through the list of accounts and look for any account that pertains to social networking, banking, online shopping or webmail. This would include Google, Facebook, Amazon, Twitter, LinkedIn, Instagram, Dropbox and iCloud. You might want to remove Netflix as well.
6) Select each sensitive account and click Remove.
Microsoft Edge lets you manage passwords much as Firefox and Chrome do.
1) Click the three dots at the extreme right of the Edge window.
2) Scroll down and select Settings.
3) Scroll down and select View Advanced Settings.
4) Optional: Toggle off "Offer to save passwords".
5) Click "Manage my saved passwords."
6) Scroll through the list of accounts and look for any account that pertains to social networking, banking, online shopping or webmail. This would include Google, Facebook, Amazon, Twitter, LinkedIn, Instagram, Dropbox and iCloud. You might want to remove Netflix as well.
7) Select each sensitive account and click the X next to it to remove it.
Opera has a built-in encrypted password manager, but we can't verify how secure it is. Here's how to use and manage it:
1) Click the Opera button in the top left of the screen.
2) Scroll down and select Settings, then select and click Preferences in the slide-out window.
3) Click the Forms tab.
4) Click the Password Manager button.
5) Scroll through the list of accounts and look for any account that pertains to social networking, banking, online shopping or webmail. This would include Google, Facebook, Amazon, Twitter, LinkedIn, Instagram, Dropbox and iCloud. You might want to remove Netflix as well.
6) Select each sensitive account and click the Delete button.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.