Twitter is urging its users, all 330-some million of them, to change their passwords immediately after a glitch caused the passwords to be stored in readable format in the company’s internal computer system, rather than an encrypted version.
The social media giant was quick to follow that it has resolved the problem, and it has no reason to believe passwords were stolen or misused in any way, but advised users to err on the side of caution and change their passwords regardless.
We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password. https://t.co/RyEDvQOTaZ
— Support (@Support) May 3, 2018
In a blog post, Twitter chief technology officer Parag Agrawal gave more information on the “internal bug,” and what users should do to keep their accounts secure.
“We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system,” Agrawal wrote. “This allows our systems to validate your account credentials without revealing your password. This is an industry standard.”
It’s less startling than other data breaches, such as Yahoo’s, Equifax, and Facebook’s ongoing nightmare with Cambridge Analytica, which really unveiled the extent to which users’ data was given to outside parties. It was a problem specifically within the promo space, too, when hackers got a hold of almost a million Hanes customers’ information.
What is a bit alarming is that, although Agrawal assured in the press release that the company has no reason to believe that anyone got ahold of the password data, the exposed passwords (which the company called “substantial”) were exposed for “several months,” per Reuters.
It’s also not Twitter’s first data scare.
In 2010, the U.S. Federal Trade Commission settled with Twitter after accusing it of “serious lapses” in data security, allowing hackers to access user data. This happened twice, prompting the FTC to put in place a plan wherein it would audit Twitter’s data security program every other year until 2020.
“We’re very sorry this happened,” Agrawal wrote. “We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”
Agrawal’s first response to the issue was a bit more cynical, claiming that Twitter “didn’t have to” inform the public of the breach, since it seems to be under control. Apparently, despite holding an executive level position at Twitter, Agrawal has never visited the site himself, as he seemed to think that would go over well.
He was issuing another apology just three hours later.
I should not have said we didn’t have to share. I have felt strongly that we should. My mistake. https://t.co/Cqbs1KiUWd
— Parag Agrawal (@paraga) May 3, 2018
We’ll monitor this situation as it develops, but for the time being, it looks like everything is OK, unlike the Yahoo and Facebook situations. For business and personal accounts alike, it’s still a good idea to switch your passwords periodically anyway, just to be safe.
