/>
X

Twitter says bug exposed user plaintext passwords

Change your passwords — immediately.
zack-whittaker-hs2016-rtsquare-1.jpg
Written by Zack Whittaker, Writer-editor on
twitter.jpg

(Image: file photo)

Twitter has admitted that user passwords were briefly stored in plaintext and may have been exposed to the company's internal tools.

In a blog post, the microblogging site urged users to change their passwords.

"When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log," said Twitter in a statement.

Twitter didn't say how many accounts were affected, but Reuters reports -- citing a source -- that the number of affected users was "substantial" and that passwords were exposed for "several months."

Read also: Twitter closed 1.2 million accounts for terrorist content | Twitter hopes trolls can be stopped by eradicating ignorance

It's unclear exactly why user passwords were stored in plaintext before they were hashed. Twitter said that it stores user passwords with bcrypt, a stronger password hashing algorithm, but a bug meant that passwords were "written to an internal log before completing the hashing process."

The company said it fixed the bug and that an investigation "shows no indication of breach or misuse" by anyone.

A spokesperson for Twitter reiterated that the bug "is related to our internal systems only," but it did not comment further.

A source familiar with the ongoing investigation told ZDNet that the internal log where user plaintext passwords were accidentally logged was found in an obscure place, and it's believed that the likelihood of someone finding it was low.

"Since this is not a breach and our investigation has shown no signs of misuse, we are not forcing a password reset but are presenting the information for people to make an informed decision about their account," said the spokesperson. "We believe this is the right thing to do."

The company had 330 million users at its fourth-quarter earnings in February.

Twitter is the second company to admit a password-related bug this week.

GitHub on Tuesday said it also exposed some users' plaintext passwords after they were written to an internal logging system.

It's not known if the two incidents are related, and a Twitter spokesperson would not comment in a follow-up email.

Related

Giant data breach? Leaked personal data of one billion people has been spotted for sale on the dark web
close-up-of-a-womans-hands-typing-on-a-keyboard-in-the-dark.jpg

Giant data breach? Leaked personal data of one billion people has been spotted for sale on the dark web

Security
GitHub Copilot, Microsoft's AI pair-programming service, is generally available
githubcopilotnowavailable

GitHub Copilot, Microsoft's AI pair-programming service, is generally available

AI & Robotics
The single best way to protect yourself against credit card fraud
credit-card-fraud-can-be-stopped-heres-how.jpg

The single best way to protect yourself against credit card fraud

Credit Cards