Twitter Urges Users to Change Passwords Due to Glitch

A glitch caused Twitter passwords to be stored in plain text on an internal log.

Twitter said Thursday that a glitch caused account passwords to be stored in plain text on an internal log, sending users across the platform scrambling  to change their passwords.

The social media company said that it found and has fixed the glitch, and its investigation shows no indication of a breach or misuse by anyone. While the company did not specify how many passwords were impacted, a Reuters report said its entire user base of 330 million are impacted.

“I’d emphasize that this is not a leak and our investigation has shown no signs of misuse,” a Twitter spokesperson told Threatpost. “We’re sharing this information so everyone can make an informed decision on the security of their account.”

The spokesperson declined to comment on the timeframe of the glitch and how many users were impacted.

“Due to a bug, passwords were written to an internal log before completing the hashing process,” said Parag Agrawal, CTO of Twitter, in a blog post. “We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.”

Users who opened their accounts Thursday evening received a prompt from Twitter asking them to consider changing their password on all services where they used the password.

Twitter said that it masks passwords through hashing using bcrypt, which replaces the actual password with a random set of numbers and letters stored in its system. However, the glitch caused passwords to be written into the company’s internal computer system before the hashing process was completed.

Agrawal said in a tweet that Twitter is sharing the information about the glitch to help users “make an informed decision about their account security.”

Security researcher Troy Hunt told Threatpost that the real world risk of the glitch to users is likely very low: “I can see how it would happen – logs are often largely automated – but clearly it’s a massive oversight,” he said. “By the same token, if the extent of the issue is that the passwords were captured to internal logs, the logs weren’t exposed and they’ve subsequently cleaned that up, the real world risk is likely very low.”

The news parallels another incident earlier this week, where Github also disclosed that it had discovered a recently introduced bug exposing a small number of users’ passwords in plain text. GitHub also uses bcrypt to hash passwords.

Twitter found itself in hot water earlier in the week after disclosing that it sold data access to a Cambridge Analytica-linked researcher. This expounded on already tightening concerns by the security community about how social media companies protect private user data.

Suggested articles

Discussion

  • Curtis K on

    What about 2FA-enabled account does it need to be password reset?
    • brian on

      not really...but..why take the chance..I do it any way on most of my accounts every 6 months...just paranoid I guess..lol
  • Tornado Ally on

    If it took Twitter this long to discover these automatically-generated plaintext log files, then thousands of other online services likely have the same 'bug'. I would expect a cascade of similar warnings appearing from other online services over the next week.
  • Jean-François Fortin on

    What is a "glitch" anyway? Some sort of generic alibi for "we can't explain what really happened" or "we implemented a module that hasn't been fully tested" ?
  • ProjectVeritas on

    Check out Project Veritas expose. This is most likely due to the entire company having a backdoor to users private data for profiling and sale. They have been forced to stop and this is a symptom of using a different cipher without a masterkey.
  • CriticalThinking on

    Check out Project Veritas expose. This is most likely due to the entire company having a backdoor to users private data for profiling and sale. They have been forced to stop and this is a symptom of using a different cipher without a masterkey.
  • BZ on

    Account Deleted - Fixed.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.