Rumors of a Twitter breach started circulating yesterday afternoon, fittingly, on Twitter. Security researchers cautioned users to change their passwords and enable two-factor authentication, a feature that requires a user to verify their identity at login with a pincode sent to a trusted device.
But the rumors were wrong — at least partially. Although millions of Twitter handles and passwords were popping up for sale on the dark web, Twitter hadn’t suffered a breach. LeakedSource, a site that posted the data, speculated that the login credentials were harvested using malware, a plausible theory supported by Twitter’s own security team.