Twitter Admits All Passwords Visible to Employees Due to 'Bug' and Advises Password Change

Social media company Twitter has advised users to change their account passwords after it was discovered that a bug resulted in user passwords being stored in an insecure manner.

In a blog post titled “Keeping your account secure,” company CTO Parag Agrawal explained that the platform utilizes software that masks user passwords, preventing anyone at the company from viewing them. But due to a bug, all user passwords were stored in plaintext in an internal log. Agarwal says that they have investigated and fixed the bug and so far have found no signs of misuse or breach of user data.

Twitter uses a process called hashing and a function called “bcrypt” to replace user passwords with random numbers and letters which are stored in Twitter’s system, this is how Twitter validates all user data and is an “industry standard” according to Agrawal. Somehow, this process failed, resulting in all of the site’s 300 million users passwords being made visible to multiple employees working at the company.

Agrawal tweeted that Twitter “didn’t have to” alert users to the error but did so as they believed it was the “right thing to do.”

The company has advised all Twitter users to change their passwords to prevent the possible hacking of their accounts, and provided tips on account security.

The tips that Twitter outlined were:

1. Change your password on Twitter and on any other service where you may have used the same password.
2. Use a strong password that you don’t reuse on other websites.
3. Enable login verification, also known as two-factor authentication. This is the single best action you can take to increase your account security.
4. Use a password manager to make sure you’re using strong, unique passwords everywhere.

Twitter ended their blog post by apologizing for the error saying: