Twitter urges all 336M users to reset passwords due to hashing bug

Posted:
in General Discussion edited May 2018
Twitter on Thursday issued a security alert recommending its 336 million users change their passwords, the result of an apparent bug that caused some codes to be stored unprotected on an internal log.

Twitter


The company revealed the issue in a post to its official blog and a tweets from Twitter Support. CEO Jack Dorsey and Twitter's official account retweeted the Twitter Support message shortly after it went live, while CTO Parag Agrawal tweeted an apology.

Full details are unknown, but Twitter says the recently discovered bug allowed user passwords to be stored to an internal log without first being protected, or masked, by a hashing process known as bcrypt. The industry standard security protocol replaces a passcode with random numbers and letters, and its absence suggests Twitter was logging passwords in plain text.

Twitter has since fixed the glitch and is working to implement safeguards to prevent similar incidents from occurring in the future.

"We've fixed, see no indication of breach or misuse, and believe it's important for us to be open about this internal defect," Dorsey said in a tweet.

How long the bug was left undetected and how many passwords were affected by the glitch is unknown, but the company does not believe sensitive information left its internal servers or was harvested by a nefarious third party. According to Reuters, a person familiar with the matter said the number of passwords impacted by the bug is "substantial," adding that the information was exposed "for months." Twitter began to inform regulators of the bug when it was discovered a few weeks ago, the person said.

As a precautionary measure, Twitter is urging users to reset their Twitter passwords and any other service where the same code was used. The company also suggests using two-factor authentication and a password manager.

Following today's revelations, some users navigating to the service's homepage are seeing a pop-up message that includes notification of the problem and a direct link to system settings, where passwords can be updated.

While not a security breach, Twitter's password glitch adds to a growing pile of high-profile snafus from tech companies trusted with protecting user data. In many cases, services are targeted by hackers in an attempt to cull personal information. For example, MyFitnessPal in March suffered a breach that exposed usernames, email addresses and passwords of some 150 million accounts.

Comments

  • Reply 1 of 19
    lkrupplkrupp Posts: 7,164member
    You know, what's the use of taking measures to protect one's privacy when big web services can't even protect your frick'n password?
    ronnbrian greenbshankcornchipanton zuykovjony0
  • Reply 2 of 19
    cmd-zcmd-z Posts: 54member
    Amen. I hope someone responsible for such an egregious error is taken out behind the wood shed ...
  • Reply 3 of 19
    seankillseankill Posts: 481member
    What’s a “Twitter”?
    olsmuthuk_vanalingam
  • Reply 4 of 19
    cgWerkscgWerks Posts: 2,273member
    Wow, I hadn't even heard about this anywhere else. Thanks!
    Passwords changed for all accounts. :)

    lkrupp said:
    You know, what's the use of taking measures to protect one's privacy when big web services can't even protect your frick'n password?
    Password Manager!!!
    At least then you'll only ever have one account hacked no matter how bad of a job they do.
    jony0
  • Reply 5 of 19
    chasmchasm Posts: 1,649member
    Who is still storing passwords in plain text in 2018? Idiots, that’s who.

    Facebook: oops, data we sold ended up in the wrong hands!
    Twitter: hold my beer ...
    edited May 2018 cgWerkscornchipols
  • Reply 6 of 19
    seanismorrisseanismorris Posts: 1,045member
    If the passwords were saved in a log in an unencrypted format, all users are at risk...

    So...someone created a log to debug the login process, fixed whatever problem they were looking at, and no one ever looked at it again.  That’s not really possible...

    The login process is probably the most common thing to attack by hackers, reviewing the process and fixing issues would be continuous.

    I wonder if an external code review uncovered the problem, and the internal people knew about it but were ignoring it for convenience until they were called out on it. 
    cgWerksronncornchip
  • Reply 7 of 19
    cpsrocpsro Posts: 2,476member
    cgWerks said:
    Passwords changed for all accounts. :)
    Eggsactly! There are far fewer users than accounts on Titter and Farcebook.

    What if an account hasn't been logged into in years? Would its password be in the log? (Doesn't sound like it.) Is re-setting all passwords then a way for Titter to link accounts to the same physical user, by linking metadata that the company hadn't been in a position to use before?
  • Reply 8 of 19
    cgWerkscgWerks Posts: 2,273member
    chasm said:
    Who is still storing passwords in plain text in 2018? Idiots, that’s who.

    Facebook: oops, data we sold ended up in the wrong hands!
    Twitter: hold my beer ...
    LOL, no kidding. But, it was an error of some kind, it seems. I'm sure they don't store them that way... eekkk.

    They had an interesting talk about that stuff on a recent ATP podcast. Marco was saying how he's trying to think of ways to separate everything into tokens so he doesn't even need to collect stuff like emails. But, it's quite challenging. They also had an episode some time ago where they discussed how mistakes like this happen in code and big projects (I think around the time the password displayed on Apple's login screen).

    Also, re: Facebook - LOTS or people have all that data, so it's next to impossible that it wouldn't end up in the wrong hands. I'm sure a ton of wrong hands have it. Much, much worse than this Twitter problem.
  • Reply 9 of 19
    SpamSandwichSpamSandwich Posts: 31,334member
    I'm not worried about it.  :D
  • Reply 10 of 19
    cgWerkscgWerks Posts: 2,273member
    cpsro said:
    cgWerks said:
    Passwords changed for all accounts. :)
    Eggsactly! There are far fewer users than accounts on Titter and Farcebook.

    What if an account hasn't been logged into in years? Would its password be in the log? (Doesn't sound like it.) Is re-setting all passwords then a way for Titter to link accounts to the same physical user, by linking metadata that the company hadn't been in a position to use before?
    Interesting point. But, in my case, I have a company account, a organization (non-profit) account, and a personal account. But, Twitter has been trying to crack-down on cross posting and that kind of thing, for sure. This might give them some way of catching such accounts, if they wanted.

    Don't worry, I'm not part of the Russian or USA troll farms. :smiley: 

  • Reply 11 of 19
    SoliSoli Posts: 9,206member
    lkrupp said:
    You know, what's the use of taking measures to protect one's privacy when big web services can't even protect your frick'n password?
    You're saying that because Twitter had a bug you shouldn't worry about posting all your private data, like your Social Security Number, to the internet?

    Personally, I think it's silly to think that because some website has a bug or could get hacked that you shouldn't take personal responsibility of your own privacy and security. I had no trouble changing my Twitter password today because I've always assumed it was already vulnerable (as I do all online facing logins, among others). I spent 30 seconds changing it, per their request and that's that. Since that username, personal data, or password are used anywhere else and that password is a random string of 64 characters I'm not too worried about it.
    edited May 2018
  • Reply 12 of 19
    robin huberrobin huber Posts: 3,275member
    Twitter is totally unnecessary. I signed up when it first came out to see what all the hubbub was about. No one followed me, and I didn’t wat to follow the likes of Kanye and Taylor so I bailed. Managed to live a full life since. 
  • Reply 13 of 19
    SoliSoli Posts: 9,206member
    Twitter is totally unnecessary. I signed up when it first came out to see what all the hubbub was about. No one followed me, and I didn’t wat to follow the likes of Kanye and Taylor so I bailed. Managed to live a full life since. 
    Is that a serious post? You signed up and expected people to follow you for no other reason than you signed up then decided the entire platform was unnecessary because you weren't followed back? Sour grapes, much?

    There's a reason why every news organization uses it. There's a reason why I use it to access news and other data, like earthquakes, without waiting for a lengthy story to be written, edited, and posted. I personally don't post to Twitter and so I don't have followers, but I also don't expect to. Why would I?


    PS: You say you signed up when "it first came out" and then say you "didn't want to follow the likes of Kanye and Taylor," but a quick google shows that Twitter launched in 2006, Taylor joined in 2008, and Kanye didn't join until 2010.
    edited May 2018 cornchip
  • Reply 14 of 19
    anton zuykovanton zuykov Posts: 1,039member
    lkrupp said:
    You know, what's the use of taking measures to protect one's privacy when big web services can't even protect your frick'n password?
    They are busy policing alternative views, and therefore have no time for crap like hashing passwords... Besides, hashing hurts trees, because it requires more computational power, and hence was deemed not green enough!
    SpamSandwich
  • Reply 15 of 19
    cgWerkscgWerks Posts: 2,273member
    anton zuykov said:
    They are busy policing alternative views, and therefore have no time for crap like hashing passwords... Besides, hashing hurts trees, because it requires more computational power, and hence was deemed not green enough!
    The slightly comical thing is that the whole tree-hugger image doesn't work as well anymore because trees *love* CO2. So, in some ways, the modern 'green' movement is actually anti-green. :) So, hash away... the trees will thank you.
  • Reply 16 of 19
    Eric_WVGGEric_WVGG Posts: 647member
    It's all well and good for mocking Twitter for fucking up, but I think they deserve credit for owning it (second time tonight I've used that phrase) and talking to users. Contrast to Yahoo who had multiple database breaches affecting *billions* of users and sweeping it under the rug for years.

    It's starting to look like breaches are inevitable. Companies that deal with it responsibly deserve at least a little respect. 
    edited May 2018 cgWerks
  • Reply 17 of 19
    mdwychoffmdwychoff Posts: 11member
    336 million users = 3 million users and 333 million bots.
  • Reply 18 of 19
    eliangonzaleliangonzal Posts: 490member
    chasm said:
    Who is still storing passwords in plain text in 2018? Idiots, that’s who.

    Facebook: oops, data we sold ended up in the wrong hands!
    Twitter: hold my beer ...
    These are the same people with the world's two largest platforms for disinformation and abuse. How could the passwords *not* be stored in plain text? 
  • Reply 19 of 19
    command_fcommand_f Posts: 298member
    chasm said:
    Who is still storing passwords in plain text in 2018? Idiots, that’s who.
     :o 
    Facebook: oops, data we sold ended up in the wrong hands!
    Twitter: hold my beer ...
    Well, not Apple, for sure. High Sierra removed the need for a Root password entirely so there's no chance of that getting in the wrong hands... oh, hang on  :o
    cgWerks
Sign In or Register to comment.