Twitter says it has fixed the bug that stored passwords unmasked in an internal log
After fixing a bug that stored passwords in plain text in an internal log, Twitter urges all its users to change their passwords at once, on their website and any other places that same password have been used, and if possibly enable login verification as well. According to Twitter, their research demonstrated no “breach or misuse by anyone”.
We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password. https://t.co/RyEDvQOTaZ
— Twitter Support (@TwitterSupport) May 3, 2018
Twitter hasn’t uncovered what number of users’ passwords may have possibly been traded off or to what extent the bug was unmasking passwords before it found and resolved the issue. The company asking all of its users to change their passwords demonstrates that it would appear to be countless.
This is what happened, according to twitter;
We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard.
Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.
Again, they added;
We are very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.