Twitter Bug Stores Passwords in Plain Text

Written by

Twitter is asking its 300 million users to change their passwords after a bug in its system meant they were stored for a time in plain text.

The firm’s CTO, Parag Agrawal, claimed the firm had uncovered no sign of any breach or misuse, but was recommending the change “out of an abundance of caution."

“We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard,” he explained.

“Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.”

As well as recommending Twitter users change their passwords to a strong and unique credential, Agrawal suggested they use a password manager, and even go one better by switching on two-factor authentication.

"Those who could have access to the internal logging system could possibly retrieve those [plain text] passwords,” argued Avast security researcher, Martin Hron. “The risk that your password had been compromised is in a category of low to intermediate. However, it is advised to change your password, because no one is aware so far how long that logging had been in place."

David Higgins, director of strategic accounts EMEA at CyberArk, suggested that Twitter should have strong authentication mechanisms in place to guard who could have seen that log file.

“Smart companies recognize that, given the extensive powers admins have in the network, what they access and how this access is managed is critical to secure and manage, typically using privileged access security technology to safeguard against the internal threat,” he said.

What’s hot on Infosecurity Magazine?