Twitter is urging its 330 million users to change their passwords right away after it accidentally “unmasked” user passwords by storing them in an unencrypted format in an internal log file.
The company says it has since resolved the mistake and that an internal investigation revealed no indication that passwords were stolen or misused. However, users are still being urged to change their password as a precaution.
"We recently found a bug that stored passwords unmasked in an internal log," stated a tweet from the official Twitter Support account. "We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password."
Issue in the hashing process
The platform explained in a blog post that Twitter “hashes” passwords using the Bcrypt hashing algorithm, but the glitch caused passwords to be written on an internal computer log before the scrambling process was completed.
"We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again,” Twitter said.
Users are advised to change their passwords on Twitter and anywhere else they use their Twitter passwords, including third-party apps like TweetDeck or Tweeterrific. The replacement password should be strong and unique. The company also recommends enabling two factor authentication and using a password manager.
Twitter didn’t say how many user passwords may have been exposed or how long the bug lasted. However, a person familiar with the company’s response told Reuters the number was “substantial” and that passwords were exposed for “several months."