Around 250,000 Twitter users may have had their accounts compromised by computer hackers.
The social networking site said usernames, email addresses and encrypted passwords may have been taken during an "extremely sophisticated" attack on its systems.
It said one attack was shut down moments after it was detected, adding that the passwords of users who may have been affected had been reset.
In a blog , Bob Lord, director of information security at Twitter, said there had been "a recent uptick in large-scale security attacks aimed at US technology and media companies", with the New York Times among those targeted.
He said: "Our investigation has indicated the attackers may have had access to limited user information - usernames, email addresses, session tokens and encrypted/salted versions of passwords - for approximately 250,000 users.
"As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts.
"This attack was not the work of amateurs and we do not believe it was an isolated incident.
"The attackers were extremely sophisticated and we believe other companies and organisations have also been recently similarly attacked."
One expert said the hackers may have gained access through an employee's home or work computer by exploiting vulnerabilities in Java, a widely-used computing language.
Ashkan Soltani, an independent privacy and security researcher, said such a move would give attackers "a toehold" in Twitter's internal network, potentially allowing them to track user information as it travelled across the company's systems or break into specific areas, such as the authentication servers that process users' passwords.
Although the hackers are unlikely to have gained any confidential information, Mr Soltani said the stolen credentials could be used to access other services for which a person has signed up using the same username and password.
Mr Lord said that although "only a very small percentage" of users were potentially affected, everyone who uses the site should ensure their password is secure.
He said passwords should be at least 10 characters long, contain upper and lowercase letters, numbers and symbols, and be different to passwords used for other online accounts.