Twitter admits that it stored your password unmasked

by Mark Tyson on 4 May 2018, 11:31

Tags: Twitter

Quick Link: HEXUS.net/qadtdk

Add to My Vault: x

Twitter has admitted it has made a mistake with regards to a user security issue. According to an official blog post penned by Twitter CTO, Parag Agrawal, a bug was recently identified which had resulted in users passwords being stored unmasked in an internal log. The firm stresses that there is no indication that there has been any breach or misuse of the bug/passwords by anyone but it recommends users change passwords anyway.

“Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password,” wrote Mr Agrawal. “You can change your Twitter password anytime by going to the password settings page.”

Twitter generally uses a bcrypt hashing algorithm to store user passwords for verification on its servers. This industry standard behaviour fell short of said standards as “passwords were written to an internal log before completing the hashing process,” due to the bug, explained Agrawal in the blog post about this issue. Another fact that might be of consequence is that Twitter found the bug itself, removed any unhashed passwords, and fixed the bug to stop such an event happening again. This fix up wasn’t a reaction to an outsider tip, hack, breach or similar. Twitter has “no reason to believe” password information ever left its systems.

In the wake of its own errors being reported, Twitter has advice for its users on keeping their accounts safe. It trots out the usual advice of such online services; to use a strong password unique to each site you visit, make use of a password manager to make such a feat more manageable,and to turn on two-factor verification where possible. For Twitter specifically, it asks users to consider changing their password and if any other sites used the same email/pass combo, to update them too (but not using the same passwords again). Rounding off the blog post, Agrawal apologised for the security issue affecting its 330 million users.



HEXUS Forums :: 6 Comments

Login with Forum Account

Don't have an account? Register today!
“…we didn't have to, but believe it was the right thing to do”

How generous of him, I guess we should be gratefull?! It's their responsibility to make sure my data is secure - after all they make money out of it. If they fail to do so they should compensate all affected users + fine. It's wild west industry right now (led by Facebook) and needs some deep regulations to protect our personal information. The only mantra they follow is $$$
.. We are not saying the IT intern sold all your passwords to the Russians but just in case ..
Whilst it's inexcusable, atleast they faced it head and rather than completely deny, lie about it and blame others as Sony did.
If you click security challenge on lastpass, it now lists your twitter accounts as “comprimised” with a checkbox to auto-change the passwords for you…
HEXUS
Read more.

Like quite a few companies who have become household name. Security gets in the way of convenience.