Home » Cybersecurity » Cyberlaw » Twitter security snafu: change your passwords

Twitter security snafu: change your passwords

If you’re logging into Twitter after having been AWOL for a day or two, you’ll likely be seeing one of these pop-ups talking about account security:

Click to enlarge

Don’t panic, it’s nothing that can’t be fixed.

The message reads as follows:

Keeping your account secure

When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone. Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password

This text is taken from a post on the official Twitter blog, where they explain what happened (admittedly, without a great deal of additional information), and what you should do to ward off account compromise.

One slight issue I have with the notification wording is that they “ask” users to “consider” changing passwords. It feels like they should have been a lot more forceful here, or just automatically scrubbed all existing logins, making everyone update their passwords by default. Regardless of messaging, the moment a password is exposed—no matter what capacity, internally or externally—you owe it to yourself to go change it before things become problematic.

A big issue with passwords being exposed in this kind of scenario would be a lack of two-factor authentication combined with password reuse. Not everyone makes use of 2FA, and that equals a potential threat where people reuse the same login across multiple, unrelated accounts. Thankfully, Twitter has addressed this, giving users the necessary information to do something about it.

From the blog:

1. Change your password on Twitter and on any other service where you may have used the same password.

2. Use a strong password that you don’t reuse on other websites.

3. Enable login verification, also known as two factor authentication. This is the single best action you can take to increase your account security.

4. Use a password manager to make sure you’re using strong, unique passwords everywhere.

Interestingly, it appears GitHub recently ran into a similar issue with internally exposed passwords (though it doesn’t seem to be on the same scale as Twitter’s snafu):

Hi @briankrebs I got a similar email from GitHub. I don’t know whether this too large scale as that of Twitter. pic.twitter.com/6wWKOLG4WK

— deegovee (@deegovee) May 4, 2018

https://platform.twitter.com/widgets.js

As some Twitter users have suggested, it’s possible someone at Twitter read about the GitHub incident, checked their own logs, and then said “Oh no” a lot. However this all came about, and keeping in mind how information available to social network employees can potentially be abused, we should be mindful that despite our best efforts as a user of a service, ultimately something can go wrong that’s entirely out of our hands. In the Twitter and GitHub cases, we strongly advise keeping passwords unique and making use of 2FA to avoid losing control of important accounts.

If you want to know more about password managers, why you might want to use them, and what ones are out there, you should check out our blog on that very subject. Just keep in mind that sometimes incidents do happen, and that password managers can also be good targets for scammers. Weigh up the pros and cons, and make the decision best suited for you personally.

If you’d like to find out about two factor authentication, then our piece on 2FA basics will likely be just what you need. We even have some advice for what to do if you need to go on holiday and 2FA by SMS codes won’t be available.

Finally, if you spend a lot of time on mobile Twitter, then you may wish to think about securing your mobile device, too. All the fancy passwords in the world alongside a slice of 2FA won’t help much if someone retrieves your lost phone from a ditch and starts spamming an inventive collection of swear words and pornography links to your colleagues.

To summarize, then; login as soon as possible, change your password (and enable 2FA), take a look at your security settings, examine your third-party applications, and keep on Tweeting. Your social media vertical increasing can go about its business. Hooray!