The company says it hasn’t found any indication of a breach or misuse.
Twitter is telling its 330 million users to change their passwords after discovering a glitch that stored passwords unmasked in an internal log. The company says it fixed the bug and that there’s no indication of a breach or misuse, but it’s encouraging the password update as a precaution.
The problem happened because of a bug in Twitter’s password hashing. It’s standard security practice for companies to encrypt or scramble passwords they’re storing on an internal server. So, if your password was “12345” — which we highly recommend against — it wouldn’t show up on the website’s internal database as “12345,” but rather as a random mix of numbers and letters representing each character.
Twitter said it stored encrypted passwords using a hashing algorithm called bcrypt. But the social network found it had stored the passwords in plaintext before they were encrypted. Twitter said this happened because of a bug.
The company didn’t respond to a request for more details.
Twitter CEO Jack Dorsey said in a tweet that the bug caused the account passwords to be “written to an internal log before completing a masking/hashing process.” Twitter deleted the log after discovering it and the company told users that it’s “implementing plans to prevent this bug from happening again.”
Cybersecurity slipups can have major effects when they involve companies that hold information on millions of people. The Equifax breach, in which 147.7 million Americans’ Social Security numbers were exposed, also involved data that hadn’t been encrypted internally.
If Twitter had been hacked, hashed passwords would’ve provided an extra layer of protection. Storing passwords in plaintext creates a major security issue, as it gives potential hackers easy access to sensitive information. T-Mobile Austria landed in hot water in April after admitting that it had stored passwords in partial plaintext. GitHub, a code repository website, also suffered a similar bug where passwords were accidentally stored in plaintext.
“If all the 330 million passwords were stored in clear text in an internal log, then it’s not really a bug but a design flaw,” said Archie Agarwal, CEO of cybersecurity company ThreatModeler. “It also appears this has been there for a very long time — another reason why they are asking everyone and not just a few users to change their password.”
Twitter didn’t comment on how long the bug existed before it was discovered.
Though Twitter said it doesn’t think the passwords were lost in a breach or misused, passwords on internal logs are encrypted so employees with access at the company can’t see them either.
Twitter has been downplaying the effects of the problem.
“I’d emphasize that this is not a breach and our investigation shows no signs of misuse,” a Twitter spokeswoman said. “As such, we are sharing the information so people can make an informed decision on their account security.”
Twitter Chief Technology Officer Parag Agrawal adopted a similar tone, writing in a tweet, “We are sharing this information to help people make an informed decision about their account security. We didn’t have to, but believe it’s the right thing to do.”
Agrawal later apologized for his statement, pointing out that it was a mistake to say “we didn’t have to.”