A bug within Twitter’s internal systems exposed, in plain text, the passwords of an undisclosed number of users.
If you’re one of 330 million-plus Twitter users, you should change your password now. This is after the social network’s chief technology officer, Parag Agrawal, announced that the company had discovered a “bug that stored passwords unmasked in an internal log”.
“We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone,” he added.
Nevertheless, the social network is advising all users to consider changing their password “out of an abundance of caution” – both on the site itself and on any other online service that they access with the same password.
There is no word as to how many users may have had their login credentials compromised. However, Reuters did quote a person familiar with the company’s response as saying that the number was “substantial” and that the credentials had been exposed for “several months”.
First, some theory: it’s best practice for sites to store a scrambled representation (called “hash”) of each password, rather than the actual password in clear text. Through hashing, a password is turned into a completely random mix of characters. Importantly, this process is one-way, i.e. the hashed value cannot be reversed into the corresponding password. In addition, “salting”, or adding extra characters to a password before hashing it, is a common method of preventing password attacks.
Twitter said that it uses a strong hashing algorithm called bcrypt to scramble passwords. However, a bug caused passwords to be written to an internal log in plain text before the hashing process was completed.
“We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again,” reads the announcement. Twitter stressed that it has no reason to think that “password information ever left Twitter’s systems or was misused by anyone”.
At any rate, the company dispensed some more advice to the users on top of changing their passwords. The recommendations include enabling two-factor authentication (called “login verification” on Twitter) and using a password manager to create a strong and unique password on every online service.
There is certainly some irony in that the social network announced the mishap on World Password Day.
Earlier this week, code repository GitHub made a similar disclosure after it experienced a similar gaffe that involved inadvertently storing user passwords in plain text.