Twitter Suggests All Users Change Passwords Due To Unprotected Password Storage

Due to a system bug, the social network stored user passwords in plain text.

password twitter bug
Leon Neal / Getty Images

Due to a system bug, the social network stored user passwords in plain text.

Twitter advised users to change passwords after finding a bug in its systems, CBS Los Angeles reported today. This was also announced on Twitter’s corporate blog, in a blog post attributed to CTO Parag Agrawal.

“We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.”

Twitter encouraged all of its approximately 330 million users to change their passwords. They advised users should change the password on all services where they’ve used it. The social network also encouraged its users to enable two factor authentication, to ensure their accounts wouldn’t be compromised.

According to CTO Parag Agrawal, Twitter typically masks passwords through a process called hashing. This function replaces the actual, plain text password, with a randomly generated set of symbols (numbers and letters) stored in the social network’s system. This is an industry standard and helps tech companies validate a user’s account credentials without revealing their actual password. Due to a bug, Agrawal wrote, passwords were written to an internal log before completing the hashing process. The social network has, according to Mr. Agrawal, spotted the error and they are currently implementing plans to prevent this from happening ever again.

In the same blog post, Twitter’s CTO encouraged users to use a strong password that they don’t use anywhere else, enable login verification, and use a password manager in order to make sure they’re using a unique, strong password.

The social network has also apologized to its users, vowing they’re commitied to earning back their trust.

In January of this year, an undercover video showing Clay Haynes, a senior network security engineer at Twitter, sharing insider information about how this social network operates went viral. The video was recorded by undercover reporters working for Project Veritas, a non-profit organization whose goal, according to their official website, is “investigating and exposing corruption, dishonesty, self-dealing, waste, fraud, and other misconduct.”

Interestingly, in the snippet that James O’Keefe, journalist and president of Project Veritas, posted to Twitter, senior network security engineer Clay Haynes can be heard implying Twitter has the habit of storing user passwords in plain text.

“What we can do on our side is actually very terrifying. We have full access to every single person’s account, every single direct message, deleted direct messages, deleted tweets. I can tell you who exactly logged in from where, what username and password, when they changed their password.”

Clay Haynes went on to say that Twitter keeps user data for law enforcement, in case they ever get subpoenaed, adding that this also helps them (Twitter) “detect a pattern of history.”

“It’s very, very dangerous. Also, very, very, very creepy. Big Brother-ish,” Haynes concluded.

“The individual depicted in this video was speaking in a personal capacity and does not represent or speak for Twitter,” Twitter’s spokesman told Business Insider after the scandal hit the headlines.