Twitter has urged its 336 million users to change their passwords after the company discovered a bug that stored passwords in plain text in an internal system.
The company said it had fixed the problem and had seen “no indication of breach or misuse”, but it suggested users consider changing their password on Twitter and on all services where they have used the same password “as a precaution”.
“We are very sorry this happened,” said Twitter’s chief technology officer, Parag Agrawal, in a blogpost. “We recognise and appreciate the trust you place in us, and are committed to earning that trust every day.”
We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password. https://t.co/RyEDvQOTaZ
— Twitter Support (@TwitterSupport) May 3, 2018
Companies with good security practices typically store user passwords in a form that cannot be read. In Twitter’s case, passwords are masked through a process called hashing, which replaces the actual password with a random set of numbers and letters that are stored in the company’s system.
“This allows our systems to validate your account credentials without revealing your password,” said Agrawal. “This is an industry standard.”
“Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.”
Agrawal advises people to change their passwords, enable two-factor authentication on their Twitter account and use a password manager to create strong, unique passwords on every service they use.