On Friday morning, about 336 million Twitter users woke up to a note on the micro-blogging website asking them to change their password. This came as a surprise for many, especially because of the recent controversy around the Facebook data breach. Twitter, which had reported a revenue of $665 million – an increase of 21 per cent year-over-year – in the first quarter of 2018, has actually discovered a bug that stored passwords in plain text in an internal system.
“When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log,” the site said in a note. However, it added that the bug has been fixed and the investigation shows no indication of breach or misuse by anyone.
Twitter said that it is asking its users to change the password on all services out of an abundance of caution.
“Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password,” said Parag Agrawal, Chief Technology Officer at Twitter, in a blog post, adding that Twitter is sorry that this has happened. “We recognise and appreciate the trust you place in us, and are committed to earning that trust every day,” he wrote.
How do Twitter passwords work?
The micro-blogging website masks passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system. This allows Twitter systems to validate account credentials without revealing a user’s password. This is an industry standard.
What went wrong?
Due to a bug, passwords were written to an internal log before completing the hashing process. “We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again,” Agarwal added.
What should a user do?
The blog post added that even though Twitter has no reason to believe that the password information ever left its systems or was misused by anyone, there are a few steps you can take to keep your account safe:
1. Change your password on Twitter and on any other service where you may have used the same password.
2. Use a strong password that you don’t reuse on other websites.
3. Enable login verification, also known as two-factor authentication. This is the single best action you can take to increase your account security.
4. Use a password manager to make sure you’re using strong, unique passwords everywhere.
Earlier, a report in The Sunday Telegraph had claimed that Twitter had also sold users’ data to a Cambridge Analytica (CA) researcher who collected the data of 87 million Facebook users without their knowledge – a charge that Twitter has denied.