Twitter urges all 336M users to reset passwords due to hashing bug
Twitter on Thursday issued a security alert recommending its 336 million users change their passwords, the result of an apparent bug that caused some codes to be stored unprotected on an internal log.
The company revealed the issue in a post to its official blog and a tweets from Twitter Support. CEO Jack Dorsey and Twitter's official account retweeted the Twitter Support message shortly after it went live, while CTO Parag Agrawal tweeted an apology.
Full details are unknown, but Twitter says the recently discovered bug allowed user passwords to be stored to an internal log without first being protected, or masked, by a hashing process known as bcrypt. The industry standard security protocol replaces a passcode with random numbers and letters, and its absence suggests Twitter was logging passwords in plain text.
Twitter has since fixed the glitch and is working to implement safeguards to prevent similar incidents from occurring in the future.
"We've fixed, see no indication of breach or misuse, and believe it's important for us to be open about this internal defect," Dorsey said in a tweet.
How long the bug was left undetected and how many passwords were affected by the glitch is unknown, but the company does not believe sensitive information left its internal servers or was harvested by a nefarious third party. According to Reuters, a person familiar with the matter said the number of passwords impacted by the bug is "substantial," adding that the information was exposed "for months." Twitter began to inform regulators of the bug when it was discovered a few weeks ago, the person said.
As a precautionary measure, Twitter is urging users to reset their Twitter passwords and any other service where the same code was used. The company also suggests using two-factor authentication and a password manager.
Following today's revelations, some users navigating to the service's homepage are seeing a pop-up message that includes notification of the problem and a direct link to system settings, where passwords can be updated.
While not a security breach, Twitter's password glitch adds to a growing pile of high-profile snafus from tech companies trusted with protecting user data. In many cases, services are targeted by hackers in an attempt to cull personal information. For example, MyFitnessPal in March suffered a breach that exposed usernames, email addresses and passwords of some 150 million accounts.
The company revealed the issue in a post to its official blog and a tweets from Twitter Support. CEO Jack Dorsey and Twitter's official account retweeted the Twitter Support message shortly after it went live, while CTO Parag Agrawal tweeted an apology.
Full details are unknown, but Twitter says the recently discovered bug allowed user passwords to be stored to an internal log without first being protected, or masked, by a hashing process known as bcrypt. The industry standard security protocol replaces a passcode with random numbers and letters, and its absence suggests Twitter was logging passwords in plain text.
Twitter has since fixed the glitch and is working to implement safeguards to prevent similar incidents from occurring in the future.
"We've fixed, see no indication of breach or misuse, and believe it's important for us to be open about this internal defect," Dorsey said in a tweet.
How long the bug was left undetected and how many passwords were affected by the glitch is unknown, but the company does not believe sensitive information left its internal servers or was harvested by a nefarious third party. According to Reuters, a person familiar with the matter said the number of passwords impacted by the bug is "substantial," adding that the information was exposed "for months." Twitter began to inform regulators of the bug when it was discovered a few weeks ago, the person said.
As a precautionary measure, Twitter is urging users to reset their Twitter passwords and any other service where the same code was used. The company also suggests using two-factor authentication and a password manager.
Following today's revelations, some users navigating to the service's homepage are seeing a pop-up message that includes notification of the problem and a direct link to system settings, where passwords can be updated.
While not a security breach, Twitter's password glitch adds to a growing pile of high-profile snafus from tech companies trusted with protecting user data. In many cases, services are targeted by hackers in an attempt to cull personal information. For example, MyFitnessPal in March suffered a breach that exposed usernames, email addresses and passwords of some 150 million accounts.
Comments
Passwords changed for all accounts.
Password Manager!!!
At least then you'll only ever have one account hacked no matter how bad of a job they do.
Facebook: oops, data we sold ended up in the wrong hands!
Twitter: hold my beer ...
So...someone created a log to debug the login process, fixed whatever problem they were looking at, and no one ever looked at it again. That’s not really possible...
The login process is probably the most common thing to attack by hackers, reviewing the process and fixing issues would be continuous.
I wonder if an external code review uncovered the problem, and the internal people knew about it but were ignoring it for convenience until they were called out on it.
What if an account hasn't been logged into in years? Would its password be in the log? (Doesn't sound like it.) Is re-setting all passwords then a way for Titter to link accounts to the same physical user, by linking metadata that the company hadn't been in a position to use before?
They had an interesting talk about that stuff on a recent ATP podcast. Marco was saying how he's trying to think of ways to separate everything into tokens so he doesn't even need to collect stuff like emails. But, it's quite challenging. They also had an episode some time ago where they discussed how mistakes like this happen in code and big projects (I think around the time the password displayed on Apple's login screen).
Also, re: Facebook - LOTS or people have all that data, so it's next to impossible that it wouldn't end up in the wrong hands. I'm sure a ton of wrong hands have it. Much, much worse than this Twitter problem.
Don't worry, I'm not part of the Russian or USA troll farms.
Personally, I think it's silly to think that because some website has a bug or could get hacked that you shouldn't take personal responsibility of your own privacy and security. I had no trouble changing my Twitter password today because I've always assumed it was already vulnerable (as I do all online facing logins, among others). I spent 30 seconds changing it, per their request and that's that. Since that username, personal data, or password are used anywhere else and that password is a random string of 64 characters I'm not too worried about it.
There's a reason why every news organization uses it. There's a reason why I use it to access news and other data, like earthquakes, without waiting for a lengthy story to be written, edited, and posted. I personally don't post to Twitter and so I don't have followers, but I also don't expect to. Why would I?
PS: You say you signed up when "it first came out" and then say you "didn't want to follow the likes of Kanye and Taylor," but a quick google shows that Twitter launched in 2006, Taylor joined in 2008, and Kanye didn't join until 2010.
It's starting to look like breaches are inevitable. Companies that deal with it responsibly deserve at least a little respect.