Security Bug: Twitter asks all users to change their passwords
Twitter has asked its over 330 million users to change their passwords after admitting that the company inadvertently recorded user passwords in readable text on its internal system due to a glitch. While the problem has been resolved, you are still highly suggested to change your password to ensure the security of your Twitter account.
We recently discovered a bug where account passwords were being written to an internal log before completing a masking/hashing process. We’ve fixed, see no indication of breach or misuse, and believe it’s important for us to be open about this internal defect. https://t.co/BJezo7Gk00— jack (@jack) May 3, 2018
Passwords are protected through a cryptographic process called "hashing." But a bug caused them to be accidentally stored in plaintext instead of being disguised by a well-regarded hash function called bcrypt that Twitter uses. The unprotected passwords were stored before they could be completely hashed.
As a security measure, Twitter is notifying both mobile and desktop users to change their passwords. Notably, the company did not specify how many passwords were affected. David Kennedy, CEO of penetration testing firm TrustedSec, said, " Twitter is taking the right steps by requesting everyone change their password and making the bug public versus hiding it."
We are sharing this information to help people make an informed decision about their account security. We didn’t have to, but believe it’s the right thing to do. https://t.co/yVKOqnlITA— Parag Agrawal (@paraga) May 3, 2018
To change your account's password, navigate to Settings and privacy > Password. Enter your current password and then choose a new one. To set up two-factor authentication, go to Settings and privacy > Account. In the "Security" subsection, click on "Review your login verification methods", enter your password to confirm, and receive second-factor codes via SMS.