Twitter disclosed that it discovered a bug in its system for storing passwords — which left them exposed in an internal log — and its top technology exec said that “out of an abundance of caution” users should consider changing their passwords.
Twitter shares dropped as much as 2.7% in after-hours trading Thursday after the social-media company disclosed the bug.
In a blog post, Twitter CTO Parag Agrawal said the company had fixed the glitch and that its internal investigation “shows no indication of breach or misuse by anyone.”
“We are very sorry this happened,” Agrawal wrote. “We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”
Twitter didn’t say how many users’ passwords were being stored in clear text. For the first quarter of 2018, it reported an average monthly active user base of 336 million accounts worldwide.
We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password. https://t.co/RyEDvQOTaZ
— Twitter Support (@TwitterSupport) May 3, 2018
Twitter users are able to change their password on the password settings page, available at this link. Agrawal also pointed users to Twitter’s two-factor authentication login settings, which sends a six-digit code to a user’s phone number that is required to log in to the service in addition to username and password.
Twitter uses an industry-standard “hashing” mechanism to mask passwords; that replaces the actual password with a “random set of numbers and letters that are stored in Twitter’s system,” Agrawal explained.
However, the bug in Twitter’s password-storage system caused user passwords to be stored before completing the hashing process. “We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again,” Agrawal wrote.
In February 2016, Twitter disclosed that it had discovered and fixed a bug in its password-recovery systems within 24 hours after identifying it. That bug, which affected almost 10,000 accounts, didn’t expose passwords but “had the potential to expose the email address and phone number associated with a small number of accounts,” according to the company.
In the past, several high-profile Twitter accounts have been hijacked by hackers — including those of Netflix, HBO, Marvel, and even Twitter CEO Jack Dorsey himself. Those incidents don’t appear to be related the bug Twitter just disclosed. It’s also worth noting that Twitter isn’t alone in being susceptible to account hacks: For example, last summer someone broke into the Instagram account of Selena Gomez and posted a nude pic of ex-boyfriend Justin Bieber.