All 330 million users of social media platform Twitter are currently urged to change their password. Due to a bug during password hashing, clear-text passwords were exposed within the internal systems. No reasons were found to suggest any breach or misuse has occured, but users are still advised to be cautious.


Twitter clear-text bug exposing passwords

Twitter is currently urging all of their 330 million users to change their passwords. In official posts from their blog and support page the reason why is made clear: A bug during password hashing.

Companies with a good security posture generally utilize hashing to store user passwords in an unreadable form. For Twitter, this is done via popular hashing function bcrypt, replacing the stored passwords with random numbers and letters. This method allows for user credential verification without revealing the actual password.

However, due to a bug passwords were written to an internal log before the hashing process could be completed. Therefore they were left unprotected within the company’s internal systems.

No clear signs of breach or misuse

Twitter has found no indication of breach or misuse but still suggest that users change their passwords on the platform and any others where the same password may be used. Twitter’s chief technology officer Parag Angrawal stated in the previously mentioned official post regarding the incident, “We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again”.

The official statement also includes a series of advice regarding account security.

  1. Change your password on Twitter and on any other service where you may have used the same password.
  2. Use a strong password that you don’t reuse on other websites.
  3. Enable login verification, also known as two factor authentication. This is the single best action you can take to increase your account security.
  4. Use a password manager to make sure you’re using strong, unique passwords everywhere.