This article was published on May 3, 2018

Twitter warns users to change passwords after accidentally ‘unmasking’ them in an internal log [Update]


Twitter warns users to change passwords after accidentally ‘unmasking’ them in an internal log [Update]

Just minutes ago, Twitter’s official support channel posted a tweet stating that users may want to change their passwords as a precautionary measure.

The tweet didn’t dive into much detail, but a blog post that accompanied it revealed that developers found a bug that stored passwords “unmasked” in an internal log.

Typically, twitter uses a hashing algorithm called bcrypt to replace the letters and numbers in your password with a nonsensical-looking string of characters that masks the real thing. Hashing allows your credentials to be used for logging in to Twitter and other services, without revealing your password to developers or system admins.

Due to a bug, the passwords were written to an internal log before they were hashed, exposing the plaintext password to Twitter developers.

Twitter reports that it spotted the error itself, and doesn’t appear to have been breached. Representatives also state that they are implementing plans to prevent this sort of thing from happening again.

While the company isn’t forcing users to change passwords at this point, it wouldn’t be a bad idea.

UPDATE May 5 2:13 PST: Twitter is now strongly urging users to change their passwords.

 

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with