Twitter has announced that every Twitter user in the world - 330 million users worldwide - should update their password. The warning comes after a bug was discovered within Twitter’s systems that accidentally kept all user’s passwords in plain text.
The shocking announcement came via a company blog post released yesterday by Twitter’s CTO, Parag Agrawal. In the blog, Agrawal explained that although Twitter uses hashing to mask passwords - so that no one at the company can ever access them - a bug had been discovered within its systems that accidentally stored the unmasked passwords “in an internal log”.
The previously undiscovered log has apparently been sitting on Twitter’s server readily available for anybody to take a quick look at. However, according to Twitter, nobody knew about the log and there is no indication that any employee - or hacker - has ever accessed it.
Despite this claim, Twitter is strongly advising all 330 million users around the globe to update their password by following these steps:
- Log into your account
- Click on your account avatar bubble in the top right-hand side of the screen
![Twitter Bubble]( "Twitter Bubble")
- Click on Settings and Privacy
- Select Password from the menu on the left-hand side
- Now enter your old password and select a new secure password
Terrible bug
In the blog post, Agrawal explained the process by which Twitter secures their users’ passwords:
“We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard.”
Unfortunately, it would appear that despite being an industry standard, the developers at Twitter buggered the whole thing up. Instead of hashing passwords before storing them on their servers, Twitter’s system was accidentally writing passwords to an internal log in advance of completing the hashing process.
Agrawal says that the bug was discovered by Twitter engineers and that the firm has acted quickly to rectify the problem:
“We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again. We have no reason to believe password information ever left Twitter’s systems or was misused by anyone.”
Bold Claims
Despite Twitter’s bold assurances, it is hard to ignore past occasions when large amounts of Twitter passwords have appeared for sale. In 2016, 32 million Twitter passwords were discovered for sale on the dark web.
When the enormous password leak was discovered, LeakedSource commented that Twitter passwords could not have come from the firm itself. It believed this because Twitter did “not store passwords in plain text format.”
ProPrivacy Analysis
Although there is no indication that Twitter’s systems have been compromised, caution should always be exercised in situations like these. While Twitter claims that it is only asking users to update their passwords out of “an abundance of caution”, we would urge all Twitter users not only to update their Twitter password at once but also any other service that uses the same password.
Cybercriminals are all too aware that people often use the same password for multiple accounts. For this reason, it is vital that you update all your accounts with the same password. Otherwise, you could leave other online accounts exposed to hackers.
Remember that strong passwords should always be unique to each account and should be complicated enough to be considered truly secure. For this reason, to make your accounts truly secure, you will likely need a password manager such as KeePass.
In addition, if you haven't done so already, you should seriously consider using two-factor authentication - not only on your Twitter account - but on all services where it is available. Doing so will vastly increase the security of those accounts.
Title image credit: nopporn/Shutterstock.com
Image credits: Andrew Krasovitckii/Shutterstock.com