Twitter goofs up, and sends out mass password reset to users

If you received an email like this, would you believe it’s legitimate or not?

Twitter password reset email

Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We’ve reset your password to prevent others from accessing your account.

You’ll need to create a new password for your Twitter account. You can select a new password at this link:

[Reset password.]

As always, you can also request a new password.

Please don’t reuse your old password and be sure to choose a strong password (such as one with a combination of letters, numbers, and symbols).

Any security-savvy person should be cautious of automatically clicking on the links, of course, just in case the email had been sent out by online criminals attempting to phish your Twitter credentials.

Sign up to our free newsletter.
Security news, advice, and tips.

But, in this case, just in case you think it was a phishing message, let me reassure you. The email *did* come from Twitter HQ, but it *wasn’t* legitimate.

Huh? How’s that possible?

Well, because Twitter sent out the message by mistake in the last few hours to many users.

TechCrunch reports that Twitter has issued a short statement, acknowledging its error.

We unintentionally sent some password reset notices tonight due to a system error. We apologize to the affected users for the inconvenience.

Twitter passwordIn short, Twitter had a bug in its code or (more likely) human error caused the messages to be sent out by mistake.

Ironically, Twitter was trying to help. The service – like some other online sites – attempts to better protect its users by determining when users might have fallen victim to hacks that exposed passwords on *other* websites, and reset credentials when it believes the user may have used the same (now unsafe) password on Twitter.

But, of course, it got it wrong this time.

There is no indication as to exactly how many Twitter users received the messages, or what caused the social network to send out the erroneous messages, but there are certainly plenty of users who tweeted their concerns.

At the very least, lets hope that those who did act upon Twitter’s alert reset their password to a stronger, harder-to-crack one that they are not using anywhere else on the net.

I would also like to think that at least some of the users will have taken advantage of Twitter’s two factor authentication service for better security at the same time.

There is, of course, still something that we all need to worry about here aside from the gremlins in Twitter’s systems that lead to this problem in the first place.

Users can easily become complacent about genuine security warnings if they start to be sent out by firms by accident, meaning that popular websites like Twitter cannot afford to make too many mistakes like this.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.