On Thursday, Twitter chief technology officer Parag Agrawal disclosed in a blog post that the company had inadvertently recorded user passwords, in plaintext, in an internal system. This is not how things are supposed to go! And while Twitter has fixed the bug, and doesn’t think any of the exposed passwords were accessed in any way, you should still change your Twitter password right now to make sure your account is secure.
“It’s a bad thing and Twitter should be held to the fire for it,” says David Kennedy, CEO of the penetration testing firm TrustedSec. “But they are taking the right steps by requesting everyone change their password and making the bug public versus hiding it.”
Twitter has begun notifying both mobile and desktop users to change their passwords, but several people have reported errors and lags, presumably because everyone is trying to make account changes at once (which is good!).
Companies generally protect user passwords by scrambling them in a cryptographic process known as hashing. As Agrawal explained, Twitter does this, too, using a well-regarded hash function called bcrypt. But a bug caused Twitter to accidentally store passwords unprotected in some type of internal log before its password management system finished hashing them. The system would then complete the hash, and everything would look fine, even though the passwords were readable in the log. While it’s great that Twitter eventually realized the situation and is taking steps to ensure that it never happens again, it’s disconcerting that such a fundamental flaw in a crucial user protection existed in the first place.
“I’m sorry that this happened,” Agrawal wrote on Twitter after posting the announcement. “We are sharing this information to help people make an informed decision about their account security. We didn’t have to, but believe it’s the right thing to do.” The disclosure came on World Password Day.
It’s true that Twitter could have simply implemented remediations and hoped for the best, but its users deserve to know if and when their passwords have been exposed—especially because it’s always possible that the data actually was improperly accessed. And the company could have gone even farther with its disclosure. “We ask that you consider changing your password on all services where you’ve used this password,” Agrawal wrote in the statement. Instead of making it optional, Twitter could have forced all of its users to change their passwords to guarantee their security.
To do just that for your own account, navigate to Settings and privacy > Password. Enter your current password and then pick a new one. And if you used your old Twitter password for any other accounts, you should change those, too.
While you’re at it, set up two-factor authentication for Twitter if you don’t have it enabled already. Go to Settings and privacy > Account. In the Security subsection, click on Review your login verification methods. After entering your (newly revised) password to confirm that you want to make changes, you’ll land on a Login verification screen. Here you can set things up so you receive second factor codes via SMS or, preferably, using a code-generating app like Google Authenticator or Authy. The problem Twitter announced today is exactly the type of situation where two-factor is helpful—even if your Twitter password was compromised while it was exposed in the internal log, two-factor would keep a bad actor from using that information alone to access your account.
Twitter declined to comment on how long the plaintext passwords were exposed, or why the company decided not to reset all user passwords, but it seems to have acted in good faith to resolve the issue. For a platform with 336 million users, though, it’s a pretty major gaffe.