Users of the popular lifestyle social network Pinterest have been experiencing account compromises in recent weeks but the company claims that it hasn’t experienced a security breach.

Instead, the company informed its users that accounts have become the target of hackers who have found passwords associated with their account from other breaches. The attacks appear to hit users who use the same passwords across multiple accounts.

According to a recent email sent out by Pinterest to affected users, there have been a number of unauthorized attempts to access user accounts in recent weeks. The campaign began sometime in late November. Thus far, Pinterest has not provided any details regarding how many accounts it believes are affected.

The social network has informed the affected users that their login name—typically an email address—and password have been exposed as part of a breach of another website.

“Your email address and password may have been obtained by hackers through a breach of other websites, and that information may have been used to log in to your Pinterest account and send spam,” the company said in an email. It also warned that Pins, boards and messages may have been added or sent from the user’s account without their permission.

It’s not uncommon for these types of attacks to occur. Hackers will often take passwords associated with an email address from one data breach and test that password on a variety of other sites in attempts to compromise the user’s accounts across the web.

Despite the claims of the site, security researchers have been skeptical that the attacks have solely been the result of hackers checking for recycled usernames and passwords. Information Security Consultant Scott Helme noted last week that searches for “pinterest password” recently spiked online.

Security researcher Troy Hunt—the creator of Have I Been Pwned, a service that collects database breaches and informs people if their email address appeared in the hack—also questioned if the Pinterest situation was an instance of password reuse. “It’s well beyond password reuse and credential stuffing,” he wrote on Twitter.

Some users reports seem to provide credence to those security researcher concerns. Password reuse attacks rely on people using the same password for multiple accounts, but several users —including Helme —said they used a password manager to generate a random password and still experienced an attempted login from an unauthorized user.

Despite the skepticism from those experts, Pinterest has continued to hold that it has not experienced a security breach. It is taking steps to encourage users to improve their security protocols just in case.

Pinterest users are advised to change their passwords, especially if they have used their Pinterest password for another site or service. Reusing passwords is a frowned upon practice in any situation but with Pinterest apparently in the crosshairs for hackers, users should take extra precaution.

Password managers can be used to generate strong passwords. The apps, like 1Password or Dashlane, require the user to remember a single master password to access all of their accounts. The password manager generate complicated and difficult to crack passwords for the user’s accounts.

Passphrases are also preferred to passwords. Instead of remembering combinations of letters and numbers, create a phrase or collection of words that will be easier to remember and tougher for automated systems crack.

Finally, Pinterest users should activate two-factor authentication. With two-factor authentication enabled, the user will be prompted to provide a secondary code sent to one of their devices when attempting to log in. This ensures that a hacker cannot login to the account even with the user’s password as they access to the code.

To turn on two-factor authentication, follow these steps:

  • Log in to Pinterest

  • Click the three-dot button at the top of Pinterest to open the menu

  • Click Settings

  • Scroll down to Security and click “Require code at login”

  • Confirm the account password

  • Add a phone number to receive the two-factor authentication code

  • Check text messages for the verification code

  • Enter the code and click Verify

  • Write down the backup code and store it somewhere safe as a backup