Twitter urges all 336m users to change their passwords right now

4 May 2018

Image: Shutow Alexey Leonidovich/Shutterstock

Twitter has found a bug that stored unmasked user passwords in an internal log. There has been no indication of a breach or misuse of the data.

Twitter has urged all 336m of its users to change their passwords after discovering a bug that was gathering that data.

However, it said that there is no indication of a breach or misuse of that data.

In its disclosure, Twitter said that the bug was storing the passwords in an internal log.

“When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it,” Twitter’s CTO Parag Agrawal assured users in a blog post.

Agrawal said that the bug has now been fixed.

“Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password. You can change your Twitter password anytime by going to the password settings page.”

The disclosure comes at a testy time for internet users and social media generally, right on the heels of the Cambridge Analytica scandal that saw an app gather data on 87m Facebook users.

In this case, Twitter is saying that no breach has occurred but is making the disclosure anyway in a display of honesty.

So how did this bug happen?

Agrawal said that it has a system in place to make sure no employees can access or misuse users’ passwords.

“We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system.

“This allows our systems to validate your account credentials without revealing your password. This is an industry standard.

“Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening.”

How can you be sure to be sure you are secure?

As Agrawal said, there is no evidence to suggest that password information ever left Twitter’s systems.

He said the best way to ensure that your account is safe is to change your password on Twitter or any other service where you may have used the same password.

He urges users to use a strong password that you can’t reuse on other websites and switch on two-factor verification which is known as login verification on Twitter’s settings.

“This is the single best action you can take to increase your account security,” Agrawal advised.

“Use a password manager to make sure you’re using strong, unique passwords everywhere.”

Again, Agrawal apologised for the upheaval this password change may cause.

“We are very sorry this happened. We recognise and appreciate the trust you place in us, and are committed to earning that trust every day.”

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years