clock menu more-arrow no yes

Filed under:

Twitter advising all 330 million users to change passwords after bug exposed them in plain text

New, 67 comments

There’s apparently no evidence of any breach or misuse, but you should change your password anyway

Illustration by Alex Castro / The Verge

Twitter is urging all of its more than 330 million users to immediately change their passwords after a bug exposed them in plain text. While Twitter’s investigation showed that there was no evidence that any breach or misuse of the unmasked passwords occurred, the company is recommending that users change their Twitter passwords out of an “abundance of caution,” both on the site itself and anywhere else they may have used that password, which includes third-party apps like Twitterrific and TweetDeck.

According to Twitter, the bug occurred due to an issue in the hashing process that masks passwords by replacing them with a random string of characters that get stored on Twitter’s system. But due to an error with the system, apparently passwords were being saved in plain text to an internal log, instead of masking them with the hashing process. Twitter claims to have found the bug on its own and removed the passwords. It’s working to make sure that similar issues don’t come up again.

Twitter hasn’t revealed how many users’ passwords may have potentially been compromised or how long the bug was exposing passwords before it found and fixed the issue. But the fact that the company is urging its entire user base to change their passwords indicates that it would seem to be a significant number of users.

Twitter has added a warning in its mobile apps recommending users change their passwords

In general, it’s worth taking some time to think about how your passwords are set up. Consider switching over to a password manager (we have a great guide on how and why you should use one here) and avoid repeating passwords across services. That way, when leaks like these do happen, you can avoid the worst of the damage.

Update May 3rd, 5:00pm: Clarified Twitter’s investigation results.