The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Twitter Urges All Users to Change Password Following Internal Bug

by Chris Brook on Friday May 4, 2018

Contact Us
Free Demo
Chat

The site says there's no evidence of a breach or misuse but that it's making efforts to prevent the incident from happening again.

Twitter urged more than 330 million of its users to change their passwords on Thursday after the company identified a bug, internally, that unmasked passwords in a log.

While the site claims there's no evidence of a breach or misuse, it reached out to users "out of an abundance of caution," late Thursday.

The service pushed an email to users alerting them of the issue but also displayed a pop-up notification upon logging into the service asking users to consider changing their password on Twitter, or any other service in which the same password was used.

According to Parag Agrawal, Twitter's Chief Technology Officer, a bug caused passwords to be written to an internal log before they were hashed with the popular password hashing function bcrypt.

“We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again,” Agrawal wrote in a post to Twitter’s blog.

What remains unclear is how long the log was storing passwords in plaintext and how long it took engineers so long to notice. Twitter did not immediately return a request for comment on Thursday.

Blog Post

101 Data Protection Tips: How to Keep Your Passwords, Financial & Personal Information Safe in 2019

It’s possible, as some users have speculated on Twitter, the site uses the same third party library/system as GitHub, another service that admitted this week an unspecified internal log bug exposed some users' passwords in plaintext.

"During the course of regular auditing, GitHub discovered that a recently introduced bug exposed a small number of users' passwords to our internal logging system," GitHub said in an email sent to users on Tuesday. Like Twitter, GitHub stressed in the email that it stores user passwords with bcrypt but that the "recently introduced bug resulted in our secure internal logs recording plaintext user passwords when users initiated a password reset," something that suggests the number of those affected by the GitHub issue is far fewer than those affected by the Twitter incident.

While the incident is a major gaffe and fairly large oversight on Twitter's part, several security experts, including the Electronic Frontier Foundation's Eva Galperin and Facebook's departing CSO Alex Stamos, noted the fact the company came clean about the incident shouldn't be overlooked.

Twitter users throughout the afternoon acknowledged the irony of the situation. News of the bug came on World Password Day, a holiday contrived by organizations to foster better password habits.

Tags: Privacy, Passwords, Social Media Security

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.