Twitter urges users to change login passwords
Company identifies a bug that left user information exposed
Twitter said Thursday a bug publicly exposed users’ passwords, and it urged users to change them.
The San Francisco-based social media company said it found a bug that “stored passwords unmasked in an internal log,” according to a blog post from Chief Technology Officer Parag Agrawal. Agrawal noted that an investigation showed no breach or abuse by a malicious actor.
Agrawal recommended Twitter users change their password to a unique, strong password, enable the service’s login-verification feature and use a password manager.
“We are very sorry this happened,” wrote Agrawal. “We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”
Twitter CEO Jack Dorsey tweeted that he and the company “believe it’s important for us to be open about this internal defect.”
It is unclear from Agrawal’s blog post whether all 330 million Twitter users were affected by the bug. Twitter did not immediately respond to a request for comment from this news organization.
Normally, Twitter — and most other websites that require passwords to log in — use a process called hashing, which replaces
the actual password with a random set of numbers and letters. After hashing, Twit- ter can validate the password’s credentials without revealing the full password.
But the Twitter password bug exported the passwords into an internal log before completing the hashing process, according to Agrawal. On Thursday in a separate announcement, Twitter said it will move a portion of its infrastructure to Google Cloud’s web servers. Agrawal said it will have many benefits, including improvements to the company’s data security.
Twitter’s announcement about the bug exposing users’ passwords came after after the stock market closed Thursday. Its shares fell 1 percent in after-hours trading.