Twitter today has detailed an internal bug that saw passwords be stored in an internal unmasked log. While Twitter says that it sees no signs of breach or misuse, it’s recommending that users “consider changing” their passwords…
Twitter explains that while it usually uses hashing to protect user passwords, a bug caused passwords to be written to an internal log before completing that hashing process. What’s important to note here is that the people who had access to this plaintext log were Twitter employees and the company doesn’t see any signs of wrongdoing or breach:
We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system.
Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.
Twitter doesn’t specify whether or not the bug affected everyone’s passwords or not, but it is recommending that all users change their password out of “an abundance of caution.” Ultimately, the company apologizes and reiterates that it is committed to earning user trust:
We are very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.
Twitter’s announcement comes just a few days after GitHub revealed a similar bug that exposed some plaintext passwords.
Head to Twitter’s blog for the company’s full list of tips on account security, including login verification, using a password manager, and more. Be sure to read our full how to on changing your Twitter password directly from the Android app, as well.