It’s still not clear where the credentials came from. Twitter insists its systems were not breached, and it’s possible the data was harvested from victims’ browsers by malware, or simply compiled from passwords that people used across multiple services, which were stolen in separate breaches.

Either way, a lot of them were valid, and Twitter has reacted by locking “a number” of accounts and requiring the owners to reset their passwords.

Get Data Sheet, Fortune’s technology newsletter.

“In situations where your password has been directly exposed, you are sent a password reset notification; your account is protected until the owner of the email or phone number resets the password,” Twitter trust and information security officer Michael Coates wrote in a blog post.

The company told the Wall Street Journal it had notified “millions” of users in this way, though it was not more specific.

The data showed up on a shadowy site called LeakedSource this week, at the same time as hackers tried to offer it for sale. It’s not clear whether these hackers, who also passed the data on to LeakedSource, were themselves responsible for stealing or compiling it.

For more on passwords, watch our video.

As Coates noted in his piece, Twitter users should use strong (long and random) passwords that they don’t use elsewhere, enable “two factor authentication” so a code sent to their mobile phone is also required for login, and ideally use a password manager to “make sure you’re using strong, unique passwords everywhere.”