Skip to main content

Twitter Urges All Users to Change Password Following Internal Bug

by Chris Brook on Monday August 22, 2022

Contact Us
Free Demo

The site says there's no evidence of a breach or misuse but that it's making efforts to prevent the incident from happening again.

Twitter urged more than 330 million of its users to change their passwords on Thursday after the company identified a bug, internally, that unmasked passwords in a log.

While the site claims there's no evidence of a breach or misuse, it reached out to users "out of an abundance of caution," late Thursday.

The service pushed an email to users alerting them of the issue but also displayed a pop-up notification upon logging into the service asking users to consider changing their password on Twitter, or any other service in which the same password was used.

According to Parag Agrawal, Twitter's Chief Technology Officer, a bug caused passwords to be written to an internal log before they were hashed with the popular password hashing function bcrypt.

“We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again,” Agrawal wrote in a post to Twitter’s blog.

What remains unclear is how long the log was storing passwords in plaintext and how long it took engineers so long to notice. Twitter did not immediately return a request for comment on Thursday.

Blog Post

101 Data Protection Tips: How to Keep Your Passwords, Financial & Personal Information Online Safe

It’s possible, as some users have speculated on Twitter, the site uses the same third party library/system as GitHub, another service that admitted this week an unspecified internal log bug exposed some users' passwords in plaintext.

"During the course of regular auditing, GitHub discovered that a recently introduced bug exposed a small number of users' passwords to our internal logging system," GitHub said in an email sent to users on Tuesday. Like Twitter, GitHub stressed in the email that it stores user passwords with bcrypt but that the "recently introduced bug resulted in our secure internal logs recording plaintext user passwords when users initiated a password reset," something that suggests the number of those affected by the GitHub issue is far fewer than those affected by the Twitter incident.

While the incident is a major gaffe and fairly large oversight on Twitter's part, several security experts, including the Electronic Frontier Foundation's Eva Galperin and Facebook's departing CSO Alex Stamos, noted the fact the company came clean about the incident shouldn't be overlooked.

Twitter users throughout the afternoon acknowledged the irony of the situation. News of the bug came on World Password Day, a holiday contrived by organizations to foster better password habits.

Tags:  Privacy Passwords Social Media Security

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.