“Bug” caused passwords to be stored on internal server in readable text instead of being hashed
Twitter is urging all users to change their passwords after a “bug” meant that people’s passwords were stored “unmasked in an internal log.”
The micro-blogging website apologised for the issue and sought to reassure users that it does take their trust seriously.
This is not the first time that Twitter has had issues with passwords. In 2012 it unintentionally reset passwords amid rumours of a massive “hack”. And then in 2016 it reset the passwords for users after 32 million login details (in plain text) were uploaded to a website, but Twitter denied it had been hacked.
The latest password gaffe was revealed in a blog posting and a series of tweets on Thursday afternoon.
The micro-blogging website said it had resolved the problem and an internal investigation had found no indication passwords were stolen or misused by insiders.
Still, it urged all users to consider changing their passwords.
“We fixed the bug and have no indication of a breach or misuse by anyone,” Chief Executive Jack Dorsey said in a tweet. “As a precaution, consider changing your password on all services where you’ve used this password.”
Twitter went into the problem in more depth in a blog posting.
“When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it,” the firm blogged. “We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.”
“Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password,” it wrote. “You can change your Twitter password anytime by going to the password settings page.”
Twitter said it follows the industry standard of masking passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system.
“This allows our systems to validate your account credentials without revealing your password,” it wrote. “Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.”
“We are very sorry this happened,” it said. “We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”
As mentioned above, Twitter has had issues with passwords before.
Aside from the password reset in 2012, Twitter also mistakenly sent out emails telling users their accounts were at risk in March 2014.
Those emails said their accounts had been compromised and users should change their passwords in order to minimise any potential damage.
Fast forward two years to February 2016, and Twitter was in the spotlight again when it revealed a serious vulnerability with its password recovery system that could have exposed the account details of almost 10,000 active Twitter users.
Twitter admitted that bug could have revealed the account details including email addresses and phone numbers associated with the affected accounts.
And then in June that same year Twitter was forced to lock accounts of users whose passwords were exposed in a database of up to 32 million login details which were uploaded to the web. However it denied the credentials were obtained in an attack on its servers.
Are you a Twitter know-it-all? Take our quiz to find out!