Photo: Matt Rourke (AP)
You need to change your Twitter password.
Due to a “bug” in its system, some 330 million Twitter users’ passwords may have been temporarily exposed, CTO Parag Agrawal announced on the official Twitter blog Thursday afternoon.
Twitter says it corrected the error in its system, which left passwords viewable in plaintext rather than properly scrambled, but it is still urging all users to change their password.
We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password. https://t.co/RyEDvQOTaZ
— Twitter Support (@TwitterSupport) May 3, 2018
Agrawal explained the snafu in the blog post, writing that although Twitter protocol is to use hashing to mask passwords, a “bug” caused users’ to be “written to an internal log before completing the hashing process.”
This internal log is not encrypted, and the data, unprotected by hashing, was temporarily exposed.
I’m sorry that this happened, but am proud to work at a company that puts people who use our service first.
— Parag Agrawal (@paraga) May 3, 2018
Bottom line: Go change your password. Now.
To change your password via Twitter’s website, click on your profile picture icon near the top-right corner > Settings and Privacy > Password.
Enter your current (now-exposed) password, and enter in a new, stronger password. If you’re not sure how to create a strong password, read this first.
On iOS and Android, click your profile picture icon in the top-left > Settings and Privacy > Account > Password (or, on iOS, “Change password“), and go through the password-change process explained above.
Comments
10 responses to “Go Change Your Twitter Password Now”
Eh, it’s not really anything to get too excited about right now – the only people that might have had access are Twitter engineers that can likely access your password other ways if they really wanted to anyway.
Not really, it was written to an internal log on the server. If their server was breached then someone could have grabbed it. It’s better safe than sorry.
And it’s doubtful the Twingeneers have access to your unencrypted password.
Of course they do, as long as they have access to HTTP headers. The password *has* to be in plain text at some point or they couldn’t validate it. I suppose they could use JS to hash it, pass the hash to their back end, then salt it and hash it again, but that’s very error-prone.
There are secure ways of proving knowledge of a password without transmitting it, for instance Secure Remote Password:
https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol
They should be hashing the passwords client-side before sending them over http… then this sort of thing can never happen, and they cover their asses… fail.
Bummer. Still… At least they didn’t wait until an investigation to tell everyone.
Oooo, I see what you did there. Nice burn!
wont do them any good, i get a text with a code to login 🙂
Just be careful if you use that e-mail/password combo elsewhere.
Hey, this would be a good opportunity to never use Twitter again.