Twitter users need to change their passwords immediately. The social network just revealed a bug that stored user passwords in plain text on its internal logs. Twitter says its investigation found no indication of breach or misuse. Despite this, the site urges its 330 million users to change their passwords “out of an abundance of caution.”
“We are sharing this information to help people make an informed decision about their account security. We didn’t have to, but believe it’s the right thing to do,” said Twitter’s chief technology officer, Parag Agrawal.
I’m sorry that this happened, but am proud to work at a company that puts people who use our service first.
— Parag Agrawal (@paraga) May 3, 2018
It’s not clear exactly how many passwords were affected by the bug, although Twitter emphasizes it has no reason to believe the passwords left its system. However, there remains a chance they were made viewable to employees.
“We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system,” Agrawal explained in a statement. “Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.”
Agrawal originally tweeted that the company “didn’t have to” alert users about the bug but later rescinded the statement.
I should not have said we didn’t have to share. I have felt strongly that we should. My mistake. https://t.co/Cqbs1KiUWd
— Parag Agrawal (@paraga) May 3, 2018
The bug seems similar to a glitch in Github’s password reset feature that leaked user passwords in plain text to the company’s internal logs. The code repository said earlier this week a small group of employees gained access to the sensitive information.
If you have a Twitter account, we strongly recommend changing your password as soon as possible and making sure you don’t use that password for any other service. We also suggest you opt into two-factor authentication, which requires you type in a code sent to your phone via text before you can log in. You can change your Twitter password from this link.
Twitter declined the Daily Dot’s request for comment.
