Twitter has acknowledged that "numerous" usernames and passwords seems to have been leaked. The company says that while it is confident that its own servers haven't been breached, it would appear that the leaks came from attacks on other websites and services.
From the Twitter blog:
We've investigated claims of Twitter @names and passwords available on the "dark web," and we're confident the information was not obtained from a hack of Twitter's servers.
The purported Twitter @names and passwords may have been amassed from combining information from other recent breaches, malware on victim machines that are stealing passwords for all sites, or a combination of both. Regardless of origin, we're acting swiftly to protect your Twitter account.
Twitter says that it has cross-checked its own data with lists of stolen users names and passwords, and locked affected accounts with "direct password exposure," requiring a password reset by the account holder. The company has also outlines some best security practices, such as using strong passwords and turing on login verification, also known as two-factor authentication.