MICROBLOGGING WEBSITE Twitter is urging its 336 million users to change their passwords after a bug exposed them in plaintext.
"When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log," Twitter CTO Parag Agrawal said in a blog post on Thursday.
Agrawal explained that although Twitter protocol is to use the bcrypt hashing function to mask passwords, the bug caused plaintext passwords to be "written to an internal log before completing the hashing process."
"We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again," he added, noting that an investigation "shows no indication of breach or misuse" by anyone.
Twitter didn't reveal how many accounts were affected by the glitch, but Reuters reports that the number was "substantial" and that passwords were exposed for "several months." This same report claims that the bug was first uncovered a few weeks ago and has been reported to "some regulators."
Following the discovery of the glitch, the firm is advising all of its users to change their password on Twitter and on all services where they have used the same password "as a precaution".
To do so, head over to Twitter.com, click on your profile picture in the top-right corner and head to Settings and Privacy > Password.
Users have also been advised to turn on two-factor authentication, with Agrawal noting: "This is the single best action you can take to increase your account security."
GitHub on Tuesday said it also exposed some users' plaintext passwords after they were written to an internal logging system. The firm admitted that while it normally stores user passwords using cryptographic hashes, the bug, which was recently introduced, resulted in the site's secure internal logs recording plaintext user passwords when the users initiated a password reset.
It's not yet known if the two incidents are related. µ
Who said the week after I/O was boring?
But only inside the house
JerryRigEverything puts the OnePlus 6 through its paces
McAfee claims campaign is the work of 'Sun Team', rather than Lazarus