On Thursday, Twitter, chief technology officer Parag Agrawal revealed in a blog post that the company had accidentally recorded user passwords, in plaintext, in an internal system. And while Twitter has fixed the bug, and they don’t think any of the exposed passwords were gain access to in any way, you should still change your Twitter password right now to make sure your account is secure.
Twitter has about 336 million users, according to its latest letter to shareholders. Twitter has started informing both mobile and desktop users to change their passwords, but several people have reported errors and lags, presumably because everyone is trying to make account changes at once (which is good!).
We recently discovered a bug where account passwords were being written to an internal log before completing a masking/hashing process. We’ve fixed, see no indication of breach or misuse, and believe it’s important for us to be open about this internal defect. https://t.co/BJezo7Gk00
— jack (@jack) May 3, 2018
The software bug said to be responsible for the problem appears to be related to how the company secures user passwords through a security technique called hashing, Agrawal explained. Through the hashing technique, Twitter converts passwords into random assortments of numbers so that when users log in, Twitter can validate passwords without actually having to read them.
Because of the software bug, however, user passwords were written into an unspecified “internal log” before they could be converted into a series of numbers. As a result, user passwords were left vulnerable, although Twitter said no one appears to have improperly accessed the log.
Agrawal said that Twitter discovered the error without the help of outside security researchers, removed the passwords from the internal log, and is “implementing plans” to prevent future errors.