Twitter is asking its users to change their passwords after the social media giant found a bug in their system.
According to CTO Parag Agrawal, Twitter identified “a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.”
Agrawal added that “out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password.”
We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password. https://t.co/RyEDvQOTaZ
— Twitter Support (@TwitterSupport) May 3, 2018
Generally, Twitter masks passwords through a process called hashing, using a function known as bcrypt, which Agrawal said replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system.
“This allows our systems to validate your account credentials without revealing your password. This is an industry standard,” he said in a blog post.
But due to a bug, passwords were written to an internal log before completing the hashing process.
“We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again,” said Agrawal.
While Twitter seems to have a handle on the problem, some think they are underplaying how big this issue is.
“This is not a breach. It’s significantly worse,” tweeted Phil Libin, Co-founder and CEO of AI startup All Turtles.
From the information disclosed, this kind of bug seems grossly negligent at best. There’s no reason for a plaintext password to ever be written to a file. It’s not even the lazy way to code a password handler. It took effort to make this mistake.
— Phil Libin (@plibin) May 4, 2018
Twitter users can change their passwords by going to the password settings page.