If you are on Twitter, the company has a caution for you – change your password. Twitter has revealed that a bug in its system caused the password of all users across the world to be stored in an unmasked form, which means the passwords were left unprotected in its log until the bug was identified.
Twitter is now asking users to change their password as a ‘precautionary measure’. Precautionary, because the company has found no evidence of the passwords being compromised or misused in its investigation so far.
We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone. Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password.
Twitter uses a tool called ‘bcrypt’ for a masking process which replaces the actual password with a random collection of letters and numbers. The process is called ‘hashing’, and thanks to it, all passwords are stored in a non-decipherable form in Twitter’s database so that no one can actually see the real password.
Hashing is used as a standard process across the industry, but the bug identified by Twitter’s team caused all the passwords to be stored in their original form on an internal log before the hashing process could begin, leaving the login credentials of all users vulnerable.
Twitter claims that no security breach or exploitation of the bug has been discovered so far. The company’s security team has removed all the passwords from the internal log, and is now working to ensure that the bug does not pose a security threat in the future. Twitter is now sending a security message to all users, urging them to change their login credentials, use a strong password and also enable two-factor authentication as an added security measure.