Twitter is urging all of its more than 330 million users to immediately change their passwords after a bug exposed them in plain text. While Twitter’s investigation showed that there was no evidence that any breach or misuse of the unmasked passwords occurred, the company is recommending that users change their Twitter passwords out of an “abundance of caution,” both on the site itself and anywhere else they may have used that password, which includes third-party apps like Twitterrific and TweetDeck.
According to Twitter, the bug occurred due to an issue in the hashing process that masks passwords by replacing them with a random string of characters that get stored on Twitter’s system. But due to an error with the system, apparently passwords were being saved in plain text to an internal log, instead of masking them with the hashing process. Twitter claims to have found the bug on its own and removed the passwords. It’s working to make sure that similar issues don’t come up again.
We are sharing this information to help people make an informed decision about their account security. We didn’t have to, but believe it’s the right thing to do. https://t.co/yVKOqnlITA— Parag Agrawal (@paraga) May 3, 2018
Twitter hasn’t revealed how many users’ passwords may have potentially been compromised or how long the bug was exposing passwords before it found and fixed the issue. But the fact that the company is urging its entire user base to change their passwords indicates that it would seem to be a significant number of users.
In general, it’s worth taking some time to think about how your passwords are set up. Consider switching over to a password manager (we have a great guide on how and why you should use one here) and avoid repeating passwords across services. That way, when leaks like these do happen, you can avoid the worst of the damage.
Update May 3rd, 5:00pm: Clarified Twitter’s investigation results.