Twitter urges all 336M users to reset passwords due to hashing bug
Twitter on Thursday issued a security alert recommending its 336 million users change their passwords, the result of an apparent bug that caused some codes to be stored unprotected on an internal log.
The company revealed the issue in a post to its official blog and a tweets from Twitter Support. CEO Jack Dorsey and Twitter’s official account retweeted the Twitter Support message shortly after it went live, while CTO Parag Agrawal tweeted an apology.
Full details are unknown, but Twitter says the recently discovered bug allowed user passwords to be stored to an internal log without first being protected, or masked, by a hashing process known as bcrypt. The industry standard security protocol replaces a passcode with random numbers and letters, and its absence suggests Twitter was logging passwords in plain text.
Twitter has since fixed the glitch and is working to implement safeguards to prevent similar incidents from occurring in the future.
“We’ve fixed, see no indication of breach or misuse, and believe it’s important for us to be open about this internal defect,” Dorsey said in a tweet.
How long the bug was left undetected and how many passwords were affected by the glitch is unknown, but the company does not believe sensitive information left its internal servers or was harvested by a nefarious third party. According to Reuters, a person familiar with the matter said the number of passwords impacted by the bug is “substantial,” adding that the information was exposed “for months.” Twitter began to inform regulators of the bug when it was discovered a few weeks ago, the person said.
As a precautionary measure, Twitter is urging users to reset their Twitter passwords and any other service where the same code was used. The company also suggests using two-factor authentication and a password manager.
Following today’s revelations, some users navigating to the service’s homepage are seeing a pop-up message that includes notification of the problem and a direct link to system settings, where passwords can be updated.
While not a security breach, Twitter’s password glitch adds to a growing pile of high-profile snafus from tech companies trusted with protecting user data. In many cases, services are targeted by hackers in an attempt to cull personal information. For example, MyFitnessPal in March suffered a breach that exposed usernames, email addresses and passwords of some 150 million accounts.