You will be redirected back to your article in seconds

Twitter Reveals Password Bug, Recommends Users Change Passwords

Twitter disclosed that it discovered a bug in its system for storing passwords — which left them exposed in an internal log — and its top technology exec said that “out of an abundance of caution” users should consider changing their passwords.

Twitter shares dropped as much as 2.7% in after-hours trading Thursday after the social-media company disclosed the bug.

In a blog post, Twitter CTO Parag Agrawal said the company had fixed the glitch and that its internal investigation “shows no indication of breach or misuse by anyone.”

“We are very sorry this happened,” Agrawal wrote. “We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”

Twitter didn’t say how many users’ passwords were being stored in clear text. For the first quarter of 2018, it reported an average monthly active user base of 336 million accounts worldwide.

Twitter users are able to change their password on the password settings page, available at this link. Agrawal also pointed users to Twitter’s two-factor authentication login settings, which sends a six-digit code to a user’s phone number that is required to log in to the service in addition to username and password.

Twitter uses an industry-standard “hashing” mechanism to mask passwords; that replaces the actual password with a “random set of numbers and letters that are stored in Twitter’s system,” Agrawal explained.

However, the bug in Twitter’s password-storage system caused user passwords to be stored before completing the hashing process. “We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again,” Agrawal wrote.

In February 2016, Twitter disclosed that it had discovered and fixed a bug in its password-recovery systems within 24 hours after identifying it. That bug, which affected almost 10,000 accounts, didn’t expose passwords but “had the potential to expose the email address and phone number associated with a small number of accounts,” according to the company.

In the past, several high-profile Twitter accounts have been hijacked by hackers — including those of Netflix, HBO, Marvel, and even Twitter CEO Jack Dorsey himself. Those incidents don’t appear to be related the bug Twitter just disclosed. It’s also worth noting that Twitter isn’t alone in being susceptible to account hacks: For example, last summer someone broke into the Instagram account of Selena Gomez and posted a nude pic of ex-boyfriend Justin Bieber.

More Digital

  • Alibaba Buys 8% Stake in Chinese

    Alibaba Buys 8% Stake in Chinese Video Platform Bilibili

    Alibaba has purchased an 8% stake in the Chinese online video platform Bilibili, the official Xinhua news agency reported. Bilibili is one of China’s top video streaming and entertainment platforms, with about 92 million monthly active users and 450 million page-views per day. Founded in 2009, it was listed on the NASDAQ last March. Alibaba’s [...]

  • Clevver-Logo

    Hearst Magazines Buys Clevver's Pop-Culture YouTube Channels After Defy's Demise

    Hearst Magazines has snapped up Clevver, a network of female-skewing lifestyle and pop-culture news YouTube channels that had been owned by now-defunct Defy Media. Clevver was left homeless after Defy’s sudden shutdown in November; its principals said at the time they were looking for a new home. Hearst Magazines sees a digital fit with Clevver’s [...]

  • "Brother" -- Episode 201-- Pictured (l-r):

    CBS Interactive's Marc DeBevoise on Streaming Boom, Content Strategy, and Apple

    Not everyone wants or needs to be Netflix to succeed in the streaming space. And not everyone sees Apple’s enigmatic new service as a threat. Even as rival streaming services offer gobs of content, CBS Interactive’s president and COO Marc DeBevoise sees the company’s targeted original programming strategy continuing to attract viewers to its All [...]

  • Rhett-Link-Good-Mythical-Morning

    Rhett & Link's Mythical Entertainment in Talks to Acquire Smosh (EXCLUSIVE)

    Smosh, the YouTube comedy brand left stranded after parent company Defy Media went belly-up, may be about to get a new business partner. Mythical Entertainment, the entertainment company founded by top YouTube comedy duo Rhett & Link, has been in talks about acquiring the Smosh brand, sources told Variety. Multiple potential buyers came forward to [...]

  • Pokemon Go

    Proposed 'Pokémon Go' Lawsuit Settlement May Remove Poké Stops, Gyms

    A proposed settlement in the class action lawsuit against “Pokémon Go” developer Niantic could remove or change a number of Poké Stops and Gyms in the popular augmented reality game. The proposed settlement was filed in a California court on Thursday and applies to anyone in the U.S. who owns or leases property within 100 meters [...]

  • Skyline of Doha at night with

    Qatar's beIN Rallies Support From U.S. Companies Against Pirate Broadcaster beoutQ

    Qatari powerhouse beIN Media Group has rallied support from American sports and entertainment entities, including Discovery and Fox, behind its request that the U.S. government place Saudi Arabia on its watch list of top intellectual property offenders. The Doha-based broadcaster, a state-owned spinoff of Al Jazeera news network, accuses the Saudi government of harboring pirate broadcaster [...]

More From Our Brands

Access exclusive content