Go Change Your Twitter Password Now

Go Change Your Twitter Password Now

Photo: Matt Rourke (AP)

You need to change your Twitter password.

Due to a “bug” in its system, some 330 million Twitter users’ passwords may have been temporarily exposed, CTO Parag Agrawal announced on the official Twitter blog Thursday afternoon. 

Twitter says it corrected the error in its system, which left passwords viewable in plaintext rather than properly scrambled, but it is still urging all users to change their password.

Agrawal explained the snafu in the blog post, writing that although Twitter protocol is to use hashing to mask passwords, a “bug” caused users’ to be “written to an internal log before completing the hashing process.”

This internal log is not encrypted, and the data, unprotected by hashing, was temporarily exposed.

Bottom line: Go change your password. Now.

To change your password via Twitter’s website, click on your profile picture icon near the top-right corner > Settings and Privacy > Password.

Enter your current (now-exposed) password, and enter in a new, stronger password. If you’re not sure how to create a strong password, read this first.

On iOS and Android, click your profile picture icon in the top-left > Settings and Privacy > Account > Password (or, on iOS, “Change password“), and go through the password-change process explained above.


  • Eh, it’s not really anything to get too excited about right now – the only people that might have had access are Twitter engineers that can likely access your password other ways if they really wanted to anyway.

    • Not really, it was written to an internal log on the server. If their server was breached then someone could have grabbed it. It’s better safe than sorry.

      And it’s doubtful the Twingeneers have access to your unencrypted password.

      • Of course they do, as long as they have access to HTTP headers. The password *has* to be in plain text at some point or they couldn’t validate it. I suppose they could use JS to hash it, pass the hash to their back end, then salt it and hash it again, but that’s very error-prone.

  • They should be hashing the passwords client-side before sending them over http… then this sort of thing can never happen, and they cover their asses… fail.

  • Bummer. Still… At least they didn’t wait until an investigation to tell everyone.

  • Hey, this would be a good opportunity to never use Twitter again.

Show more comments

Comments are closed.

Log in to comment on this story!