Twitter Plain Text Password Bug Prompts Users for Immediate Password Change

Twitter has warned its 330 million users to immediately change their passwords, as a result of a bug that caused passwords to be logged in plaintext before being hashed. Although Twitter says passwords are stored using the bcrypt hashing algorithm, it seems they were inadvertently placed in an internal log before being hashed.

“We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system,” reads the Twitter blog post. “Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.”

The vulnerability does not appear to have been misused by cyber criminals nor have Twitter’s systems been breached or misused to access these plaintext passwords. However, because the blog post seems to encourage all Twitter users to change their passwords, it is believed that the number of potentially affected accounts is significant, and the vulnerability may have been present for months before it was detected.

“Out of an abundance of caution,” the social network strongly advises users to immediately change their account passwords, while also enabling two-factor authentication for additional security. Twitter also emphasizes that the vulnerability has been addressed, while apologizing for the incident.

“We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone,” reads the blog post. ”We are very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”

Twitter is the second company this week to reveal the existence of a “bug” in its password management systems, with GitHub announcing a similar vulnerability just days ago. From their description and warning to users, the two companies seem to have experienced the same type of password security issue.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Liviu Arsene. Read the original post at: