Last night, after seeing news of the unprecedented breach at Twitter, I did what any security-conscious person would do after a major cybersecurity incident: I changed my password.
But along with many other proactive folks, countless journalists among them, taking this textbook precautionary measure has resulted in me being locked out of my Twitter account altogether, with no timeline on when access will be restored.
My colleague, VICE features editor Tim Marchman, found himself in the same situation after trying to reset his password, with a message indicating that the email address entered was not associated with his account. In both cases, we also received emails notifying us that two-factor authentication had been disabled on our accounts—presumably by Twitter, which had announced that it was disabling features on a large number of accounts, including those that hadn’t been affected by the breach.
Twitter has not said why it specifically disabled the password reset feature, but based on Motherboard's reporting, it seems likely that hackers were using some of these features in order to take over accounts. Twitter acknowledged the issue, but has not said how many people were affected, nor when affected people will regain access to their accounts.
“This is a widespread issue related to a security incident that we are investigating and working to fix,” a Twitter spokesperson told Motherboard in an email. “Some users may not be able to change the password or access their accounts at the moment unfortunately.”
The issue appears to be widespread, potentially affecting anyone who tried to reset their passwords amidst news of the breach. Because it was initially unclear how accounts were taken over, it was fair to assume, or at least be worried about, the possibility that all Twitter passwords had somehow been compromised, which is why many people would attempt to change their passwords.
“I changed my password yesterday afternoon as soon as the hack looked widespread. Since then I’ve been unable to log in or reset my password,” Zachary Warmbrodt, a reporter at Politico, told Motherboard in an email. After emailing Twitter Support, Warmbrodt said the company responded by saying that his email address was not associated with his account.
The issue seems to be primarily affecting journalists and those with verified accounts, including many at major news outlets. Amanda Mull, a staff writer at The Atlantic, told Motherboard via email that she was “among about a half dozen” staffers at the publication locked out of their Twitter accounts after attempting to reset their passwords.
“We all changed our passwords and then were prompted to change our passwords again a little while later because our accounts had been ‘compromised,’” said Mull. “None of us are able to do that—the password reset screen just sends us in a useless loop, which I have now been locked out of because I tried too many times.”
“[It] turns out my instinct of ‘oh no something bad is happening I should change my password’ has locked me out of my account,” Thorin Klosowski, a privacy and security editor at Wirecutter, told Motherboard via email. “Probably for the best, really.”