If you’re one of Twitter’s 330 million users, you should consider changing your password. An internal bug in the firm’s hashing process meant that they were stored in plain text in its internal logs. And while an investigation has shown no signs of any breach or misuse, the company is recommending people change their passwords on Twitter, and on any services that reuse them, out of an “abundance of caution.”
Chief technology officer Parag Agrawal explained that Twitter follows the industry standard hashing practice, which scrambles passwords into a mix of random letters and numbers using a cryptographic process. But the bug caused the unmasked passwords to be “written to an internal log before completing the hashing process.”
We are sharing this information to help people make an informed decision about their account security. We didn’t have to, but believe it’s the right thing to do. https://t.co/yVKOqnlITA— Parag Agrawal (@paraga) 3 May 2018
Twitter deleted the log of plain text passwords after “recently” discovering it. The company told users that it's "implementing plans to prevent this bug from happening again."
“We are very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day,” wrote Agrawal.
Twitter didn’t reveal exactly how many of its users’ passwords were affected by the bug, or for how long they sat exposed in the log before the error was discovered. According to Reuters' source, the number was “substantial” and they were exposed for “several months.”
"I'd emphasize that this is not a breach and our investigation shows no signs of misuse," a Twitter spokeswoman said. "As such, we are sharing the information so people can make an informed decision on their account security."
The situation is another reminder to use two-factor authentication, which you can set up on Twitter, and a good password manager.