Twitter discovered a bug that recorded users’ passwords in plain text

330 million users are prompted to change their Twitter passwords due to the bug

Twitter urges users to change passwords due to system bug

On Thursday, Twitter disclosed that the internal system bug allowed the company to store user passwords in plain text. It is unknown how many users were affected by this issue as Twitter never reported it.

Since then, Twitter fixed the bug and implemented corrective actions to ensure such glitches would not occur in the future. Additionally, it was announced that there were no signs of a data breach.[1]

Nevertheless, the social media giant urged all 330 million users changing their Twitter passwords immediately, and even go as far as resetting them on other websites. The company tweeted:[2]

As a precaution, consider changing your password on all services where you’ve used this password.

The recent security breaches (like Cambridge Analytica scandal[3] or LocalBlox data exposure[4]) are threatening users’ private information, and the concerns are growing. Twitter is one of the most popular social network platforms in the world and, if anything would happen to the exposed data, it might lead to a catastrophe.

Hashing process was not functioning properly for unknown period of time

Twitter does not store users’ passwords. Well, at least not directly, as this data is encrypted and can not be read by anyone, including employees of the company. Typically, when the user enters his or her password to log into Twitter, they are masked by hashing process (Twitter uses bcrypt[5]), which replaces the text with a random string of characters.

However, due to an error in this hashing process, all passwords were saved in the internal log in plain text. Twitter reported that it was not a security breach as nobody was able to access the log where the plain text passwords were stored.

It is unknown how or why the bug occurred, but Twitter already fixed the problem and informed all users about the glitch – everyone now receives a pop-up window advising to change the password upon an attempt to log in.

Take extra precautions when it comes to your passwords

Although it has been disclosed that the incident was not a data breach, it is still strongly advised to take extra precautions when it comes to internet safety and security.

If you are a Twitter user, change your password urgently. As already advised, do the same to other websites you might be using the same password for.

Additionally, do not forget the following rules for better virtual safety:

Download and update security software. If spyware gets into your machine, hackers can easily read all the data you type in, no matter how long your password is;

Use strong passwords. Do not be predictable. Cybercriminals are sophisticated individuals and can crack your password easily. Thus, use a different combination of upper and lower case letters, numbers and similar;

Limit the password to one site. Never reuse passwords on another website or service. Remember, if the data gets leaked, all your accounts can get compromised.

Use two-factor authorization. This technique allows you to receive a code via the phone. You can then log in securely, as long as nobody else has access to your phone.

About the author
Linas Kiguolis
Linas Kiguolis - Expert in social media

Linas Kiguolis is one of News Editors and also the Social Media Manager of 2spyware project. He is an Applied Computer Science professional whose expertise in cyber security is a valuable addition to the team.

Contact Linas Kiguolis
About the company Esolutions