Earlier this month, Twitter recommended that every one of its 330 million users should change their passwords immediately after a bug was found to have exposed passwords in plain text.
Twitter masks passwords through hashing, using bcrypt. Bcrypt replaces the password with a combination of numbers and letters, and it’s this combination which is stored in Twitter’s system. The bug affected this process, and meant that passwords were stored before the hashing had taken place.
When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.
While there was said to be no evidence of the bug being taken advantage of by any malicious actor, the social media still advised individuals to take action to change their passwords as soon as possible:
Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password. You can change your Twitter password anytime by going to the password settings page.
Twitter did not confirm how many accounts may have been affected by the bug or how they found the bug. Neither did they confirm how long passwords may have been vulnerable for.
However, kudos should go to Twitter for going public with this information when they did not have to. Being transparent around issues of privacy and security means that users can make informed choices about which platforms they choose to use, and how.
Twitter also provided a list of security recommendations, to help keep accounts safe:
Change your password on Twitter and on any other service where you may have used the same password. Use a strong password that you don’t reuse on other websites. Enable login verification, also known as two factor authentication. This is the single best action you can take to increase your account security. Use a password manager to make sure you’re using strong, unique passwords everywhere.
If you haven’t changed your Twitter password in the last two weeks, do it now. Take every opportunity to strengthen your account security on any platforms that you use, and remain aware of security issues on that platform.
It’s all part of taking your online security back into your hands.