Twitter has urged all users to change their passwords after it discovered a flaw that had exposed some passwords to in internal log, putting everyone at risk.
For safe keeping away from anyone including itself, Twitter usually stores passwords on its database system only after "hashing" them or encrypting them. What this means, those passwords cannot be read, but still can validate users' credentials.
"We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard," said Twitter.
The bug occurred due to an issue in the system's hashing process. The error on the system apparently made saved passwords to be shown in plain text to an internal log
In its investigation, Twitter saw no evidence of any breach of the unmasked passwords.
But still, Twitter is not taking any risks, as it recommends all users (about 330 million of them) to change their passwords out of an "abundance of caution," both on the site itself and anywhere else users may have used that password, which includes third-party apps like TweetDeck.
Twitter claims to have found the bug on its own and removed the unmasked passwords. It’s also working to make sure that similar issues won't happen again.
Twitter also gave some recommendations regarding users' account security. This include:
- Changing password on Twitter and on other services using the same password.
- Using strong password, and don' reuse that password anywhere else.
- Enable login verification, or also known as two-factor authentication.
- Use a password manager to manage and create strong and unique passwords, everywhere.