Security Bug: Twitter asks all users to change their passwords
What's the story
Twitter has asked its over 330 million users to change their passwords after admitting that the company inadvertently recorded user passwords in readable text on its internal system due to a glitch. While the problem has been resolved, you are still highly suggested to change your password to ensure the security of your Twitter account.
Twitter Post
Exposed passwords weren't accessed in any way: Twitter CEO
We recently discovered a bug where account passwords were being written to an internal log before completing a masking/hashing process. We’ve fixed, see no indication of breach or misuse, and believe it’s important for us to be open about this internal defect. https://t.co/BJezo7Gk00
— jack (@jack) May 3, 2018
Information
Passwords are disguised by a process known as hashing
Passwords are protected through a cryptographic process called "hashing." But a bug caused them to be accidentally stored in plaintext instead of being disguised by a well-regarded hash function called bcrypt that Twitter uses. The unprotected passwords were stored before they could be completely hashed.
Details
A major gaffe for a big social media company
As a security measure, Twitter is notifying both mobile and desktop users to change their passwords. Notably, the company did not specify how many passwords were affected. David Kennedy, CEO of penetration testing firm TrustedSec, said, " Twitter is taking the right steps by requesting everyone change their password and making the bug public versus hiding it."
Twitter Post
The bug has been fixed: Twitter CTO Parag Agrawal
We are sharing this information to help people make an informed decision about their account security. We didn’t have to, but believe it’s the right thing to do. https://t.co/yVKOqnlITA
— Parag Agrawal (@paraga) May 3, 2018
Security
Enable two-factor authentication to prevent you account from being hijacked
To change your account's password, navigate to Settings and privacy > Password. Enter your current password and then choose a new one. To set up two-factor authentication, go to Settings and privacy > Account. In the "Security" subsection, click on "Review your login verification methods", enter your password to confirm, and receive second-factor codes via SMS.