Twitter initiated a password reset to a bunch of user accounts who were suddenly following a couple of suspicious accounts. These accounts were determined to be involved in phishing scams related to torrent sites.
"It appears that for a number of years, a person has been creating torrent sites that require a login and password as well as creating forums set up for torrent site usage and then selling these purportedly well-crafted sites and forums to other people innocently looking to start a download site of their very own," explains Twitter's Director of Trust and Safety, Del Harvey. "However, these sites came with a little extra — security exploits and backdoors throughout the system. This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up."
People commonly use the same password across multiple sites, which is essentially how they were able to get access to Twitter accounts, and why Twitter is reiterating a rule screamed by security experts for years: don't use the same password for all of your accounts.
"The takeaway from this is that people are continuing to use the same email address and password (or a variant) on multiple sites," says Harvey. "Through our discussions with affected users, we've discovered a high correlation between folks who have used third party forums and download sites and folks who were on our list of possibly affected accounts. While not all users who were sent a password reset request fall into this category, we felt that it was important to put this knowledge out there so that users would know of the possibility of compromise of their data by a third party unrelated to their Twitter account."
Twitter is not considered as big of a security threat as Facebook by many companies according to a recent study, but that's only because more people use Facebook. Any site that has a large userbase (and Twitter's is growing), means there are likely more crooks and scammers too.