Another day, another reason to make sure you use unique passwords for each site or service you use. Twitter has today announced that a bug in their software left passwords in plaintext in internal logs.
Normally, Twitter says they use industry standard hashing software bcrypt to change the passwords from clear text to ‘a random set of numbers and letters’ allowing Twitter admins to ‘validate your account credentials without revealing your password’. It seems that this wasn’t happening throughout their process though with Twitter finding that ‘an internal log’ was storing passwords in plain text.
Twitter was fast to point out that they’ve fixed the bug. The only people likely to have access to the passwords while in the logs were Twitter employees and their internal investigation showed that there’s no evidence that anyone was breached the system or misused the bug.
As a result of the bug, and despite their investigation showing that no misuse of the bug occurred, Twitter is still advising users to change their passwords. In a nod to normal human behaviour, Twitter also reminded users that if they use the same password on Twitter anywhere else, they should change that too (and use individual passwords on every site or service). Other factors users can use to offset potential security issues in the wake of this breach includes turning on 2Factor Authentication.
We’ve been saying it for a while, but we recommend using a password safe like 1Password, LastPass, Dashlane, KeePass or any of the other numerous password safes out there which offer to generate random passwords for each site.
For how to change your password on Twitter, head over to their support site now.