PSA: Twitter tells all subscribers to change their passwords because of bug

Twitter is asking all 336 million users to immediately change their passwords. It seems that a bug allowed users' passwords to be saved on an internal log without encryption. There is no indication that they have been used or leaked, but as a precaution, Twitter is suggesting that new passwords be used by its subscribers. Twitter Support disseminated a tweet earlier this afternoon suggesting that Twitter subscribers "consider changing your password on all services where you’ve used this password."

The company did not reveal how many passwords were discovered on the internal log and Twitter executives Jack Dorsey (COO) and Parag Agrawal (CTO) each sent out their own tweets about the bug. Dorsey wrote, "We’ve fixed, see no indication of breach or misuse, and believe it’s important for us to be open about this internal defect." Agrawal tweeted, "We are sharing this information to help people make an informed decision about their account security."

According to a post on Twitter's website, the company uses a program called bcrypt that replaces a password with an entirely random series of letters and numbers. That process is called hashing, and this is how Twitter validates your password without you having to actually reveal it to the company. According to Twitter, this is standard in the industry.

However, a bug allowed the passwords to be entered on an internal log before the hashing process. Twitter says that it found the error itself, removed the password, and is working on a plan to prevent the bug from returning.

If you are concerned about personal privacy and security, your best bet is not only to change your Twitter password, but also change it on any other service you subscribe to that shares the same password as the one you use on Twitter.


source: @TwitterSupport, @jack, @paraga via CNN