Twitter warns all users to change passwords after 'bug' left credentials stored in plaintext
Twitter has issued a warning to its 330 million users, urging them to change their passwords. The security announcement comes after the company discovered a bug that left passwords stored in unencrypted form in internal logs.
While Twitter says that the bug has been fixed and that the plaintext logs have been deleted, it is encouraging the password change out of "an abundance of caution".
- Twitter bans Kaspersky Lab from buying ads
- Twitter to ban an array of cryptocurrency ads
- Thousands of Android apps have built-in crypto keys and passwords
- Twitter suspends multiple 'tweetdecking' accounts for stealing tweets and spamming content into forced virality
Twitter says that there is no indication that the passwords have been seen by anyone outside of the company, pointing out that the bug was discovered by an employee. The "abundance of caution", however, goes as far as the suggestion that users who have used the same password on other sites and services should also change their passwords elsewhere.
Twitter went public with news about the password problem in a tweet:
We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password. https://t.co/RyEDvQOTaZ
— Twitter Support (@TwitterSupport) May 3, 2018
Users logging into the website and mobile app can expect to see a message encouraging them to visiting their account settings to change their passwords.
In a blog post about the password incident, Twitter's chief technology officer, Parag Agrawal, explains:
When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.
He goes on to reveal a little about the bug itself:
We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter's system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard.
Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.
While there is no requirement to change your password, you're strongly advised to head over to your account settings and pick a new one. You might also want to consider enabled two-factor authentication.