This is the text of the message I received (once for each account, all created back around the same time January 2007):
Hi, dewitt
Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We've reset your password to prevent others from accessing your account.
You'll need to create a new password for your Twitter account. You can select a new password at this link: ***
As always, you can also request a new password from our password-resend page: https://twitter.com/account/resend_password
Please don't reuse your old password and be sure to choose a strong password (such as one with a combination of letters, numbers, and symbols).
In general, be sure to:
Always check that your browser's address bar is on a https://twitter.com website before entering your password. Phishing sites often look just like Twitter, so check the URL before entering your login information!
Avoid using websites or services that promise to get you lots of followers. These sites have been known to send spam updates and damage user accounts.
Review your approved connections on your Applications page at https://twitter.com/settings/applications. If you see any applications that you don't recognize, click the Revoke Access button.
For more information, visit our help page for hacked or compromised accounts.
The Twitter Team
Best of luck to the security and support teams. Days like these are not fun at all.
And for people trying to puzzle out who was impacted, several these accounts (all with random strings for passwords, btw) were barely ever used at all, often not for several years. The only thing they had in common was their early creation date, and hence relatively low user ids. My guess is that the hackers simply scanned user ids starting from 1 and worked their way up.
I'm seeing a ton of people I know on twitter complain - I'm user 5511, and these are people who joined at the very beginning too - so your theory is indeed apparently correct. I got an email myself, and reset my already super complex password.
I don't know what # user I am (how can I get this information?) but my twitter account was also created in 2007 (on the 8th of April says whendidyoujointwitter.com) and is still active. Also received the email.
That would explain the high incidence among hackers, who are more often early adopters. I've been surprised by how many people I've heard of getting the email, including people in this comment thread and myself, considering only 250,000 emails were sent out of their couple hundred million accounts.
Twitter employee, here. At one point in time, auto_increment_increment was > 1 on the MySQL master for uid generation. This led to many holes in the uid range.
I've been suspecting the same thing. Two of my accounts received the email, both created several years ago, while none of my newer accounts have been compromised.
This is bullshit. I just got this message, and until I signed into HN I had no idea if Twitter was hacked or if there was a problem on my end. Which would be alarming, because all of my passwords are 30+ random characters, and I never reuse passwords across websites. Fuck you, Twitter.
Just a guess here, but maybe to get the emails out to users fast they re-used an existing template that was intended for resets due to 3rd party incidents.
random_char = '1' # chosen by fair dice, guaranteed random
return random_char * n
Just kidding. That stinks. I'm guessing your password was quite strong. Any idea how many bits of entropy it was?
It sounds like at this point Twitter sent out the email in parallel with trying to figure out how these compromises happen. Since they salt the hashed passwords, they don't know how complex your password was. Of course, you should still change your password. I changed my 80-bit Linkedin password after it was stolen.
My own solution is to have two different passwords for everything - one for banking and credit cards, another for crap like twitter/linkedin. I haven't changed my passwords for years (no point really, as you're likely to have the breaking as soon as they get your password).
I think there are risks with all solutions to the password problem.
