Twitter goofs up, and sends out mass password reset to users

If you received an email like this, would you believe it’s legitimate or not?

Twitter password reset email

Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We’ve reset your password to prevent others from accessing your account.

You’ll need to create a new password for your Twitter account. You can select a new password at this link:

[Reset password.]

As always, you can also request a new password.

Please don’t reuse your old password and be sure to choose a strong password (such as one with a combination of letters, numbers, and symbols).

Any security-savvy person should be cautious of automatically clicking on the links, of course, just in case the email had been sent out by online criminals attempting to phish your Twitter credentials.

Sign up to our free newsletter.
Security news, advice, and tips.

But, in this case, just in case you think it was a phishing message, let me reassure you. The email *did* come from Twitter HQ, but it *wasn’t* legitimate.

Huh? How’s that possible?

Well, because Twitter sent out the message by mistake in the last few hours to many users.

TechCrunch reports that Twitter has issued a short statement, acknowledging its error.

We unintentionally sent some password reset notices tonight due to a system error. We apologize to the affected users for the inconvenience.

Twitter password In short, Twitter had a bug in its code or (more likely) human error caused the messages to be sent out by mistake.

Ironically, Twitter was trying to help. The service – like some other online sites – attempts to better protect its users by determining when users might have fallen victim to hacks that exposed passwords on *other* websites, and reset credentials when it believes the user may have used the same (now unsafe) password on Twitter.

But, of course, it got it wrong this time.

There is no indication as to exactly how many Twitter users received the messages, or what caused the social network to send out the erroneous messages, but there are certainly plenty of users who tweeted their concerns.

At the very least, lets hope that those who did act upon Twitter’s alert reset their password to a stronger, harder-to-crack one that they are not using anywhere else on the net.

I would also like to think that at least some of the users will have taken advantage of Twitter’s two factor authentication service for better security at the same time.

There is, of course, still something that we all need to worry about here aside from the gremlins in Twitter’s systems that lead to this problem in the first place.

Users can easily become complacent about genuine security warnings if they start to be sent out by firms by accident, meaning that popular websites like Twitter cannot afford to make too many mistakes like this.

Found this article interesting? Follow Graham Cluley on Twitter, Mastodon, or Threads to read more of the exclusive content we post.


Graham Cluley is a veteran of the cybersecurity industry, having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent analyst, he regularly makes media appearances and is an international public speaker on the topic of cybersecurity, hackers, and online privacy. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.