Social media company Twitter is urging its 336 million users to change their passwords after it discovered a glitch that had exposed the passwords of some of its users in plain text on its internal network.
Twitter did not say how many passwords were affected but the number is "substantial" and that they were exposed for "several months".
Twitter discovered the bug a few weeks ago and has reported it to some regulators, an insider told Reuters. The company says it has fixed the internal glitch and has seen ‘no indication of breach or misuse’ but recommends precautionary steps of changing the login password.
“We are very sorry this happened,” said Twitter’s chief technology officer, Parag Agrawal, in a blogpost. “We recognise and appreciate the trust you place in us, and are committed to earning that trust every day.”
We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password. https://t.co/RyEDvQOTaZ
— Twitter Support (@TwitterSupport) May 3, 2018
Good security practices followed by tech companies typically protect user passwords by scrambling them in a cryptographic process known as hashing. In Twitter’s case too, passwords are masked through the process of hashing, which replaces the actual password with a random set of numbers and letters that are stored in the company’s system.
“This allows our systems to validate your account credentials without revealing your password,” said Agrawal. “This is an industry standard.” He explained the glitch as, “Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.”
Agrawal advised its users to change their passwords, enable two-factor authentication on their Twitter account and use a password manager to create strong, unique passwords on every service they use.
Twitter’s CTO took to Twitter to talk about the issue, first saying “We are sharing this information to help people make an informed decision about their account security. We didn’t have to, but believe it’s the right thing to do.”
But when he received criticism for saying the company didn’t have to tell users about the bug, he followed up with an apology.
“I should not have said we didn’t have to share. I have felt strongly that we should. My mistake,” he tweeted.
I should not have said we didn’t have to share. I have felt strongly that we should. My mistake. https://t.co/Cqbs1KiUWd
— Parag Agrawal (@paraga) May 3, 2018
The company is presenting users with a pop-up window that includes a message about the bug and a link to their Settings page where they can change the password.
Twitter’s CEO Jack Dorsey tweeted that he believes “it’s important for us to be open about this internal defect.”
To change your Twitter account’s password, navigate to Settings and privacy > Password. Enter your current password and then pick a new one. Wired magazine suggests that if you used your old Twitter password for any other accounts, you should change those, too.
Twitter also allows you to set up two-factor authentication if you don't have it enabled already. Go to Settings and privacy > Account. In the Security subsection, click on Review your login verification methods. After entering your (newly revised) password to confirm that you want to make changes, you'll land on a Login verification screen. Here you can set things up so you receive second factor codes via SMS or, preferably, using a code-generating app like Google Authenticator or Authy.