Twitter announced that it had locked down and called for a password reset of some accounts after almost 33 million passwords were exposed.

LeakedSource revealed on Wednesday, June 8, that it had acquired from the user Tessa88@exploit.im a database of 32.8 million records containing Twitter emails, usernames and passwords. Previously, the same user provided names and passwords of users of VK.com and MySpace.com.

The Wall Street Journal reported on Thursday, June 9, that Twitter notified millions of users that their accounts are at risk. But, according to PCWorld, the company denies that the information was obtained from a hack of its servers, speculating that the usernames and passwords may have been gathered from other recent breaches.

Michael Coates, Twitter's Trust & Information Security Officer, declared in a blog post, on Friday, June 10, that the security experts in the company cross-checked the data with their records in each of the password disclosures. As a result, they decided to lock accounts with direct password exposure and to ask the account owners to perform a password reset.

Twitter has not denied the accuracy of at least some of the user data leaked on the dark web. However, the company said that the data breach is not due to a hack on its servers but rather users' computers infected with malware may be responsible.

According to security experts, some indentified formatting techniques suggest that data was indeed captured from malware-infected computers and not from Twitter's internal user database. The evidence points to the conclusion that, in this case, the consumer was hacked rather than Twitter.

Security researcher Troy Hunt told Ars Technica that he does not believe that all 32.8 million accounts in the leaked database contain legitimate credentials for Twitter. According to him, it is highly likely that many records have been obtained independently of the data breach. In this case, the possibility that they can be used against active Twitter accounts is extremely low.