Twitter has admitted it has made a mistake with regards to a user security issue. According to an official blog post penned by Twitter CTO, Parag Agrawal, a bug was recently identified which had resulted in users passwords being stored unmasked in an internal log. The firm stresses that there is no indication that there has been any breach or misuse of the bug/passwords by anyone but it recommends users change passwords anyway.
“Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password,” wrote Mr Agrawal. “You can change your Twitter password anytime by going to the password settings page.”
Twitter generally uses a bcrypt hashing algorithm to store user passwords for verification on its servers. This industry standard behaviour fell short of said standards as “passwords were written to an internal log before completing the hashing process,” due to the bug, explained Agrawal in the blog post about this issue. Another fact that might be of consequence is that Twitter found the bug itself, removed any unhashed passwords, and fixed the bug to stop such an event happening again. This fix up wasn’t a reaction to an outsider tip, hack, breach or similar. Twitter has “no reason to believe” password information ever left its systems.
In the wake of its own errors being reported, Twitter has advice for its users on keeping their accounts safe. It trots out the usual advice of such online services; to use a strong password unique to each site you visit, make use of a password manager to make such a feat more manageable,and to turn on two-factor verification where possible. For Twitter specifically, it asks users to consider changing their password and if any other sites used the same email/pass combo, to update them too (but not using the same passwords again). Rounding off the blog post, Agrawal apologised for the security issue affecting its 330 million users.