Just minutes ago, Twitter’s official support channel posted a tweet stating that users may want to change their passwords as a precautionary measure.
We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password. https://t.co/RyEDvQOTaZ
— Twitter Support (@TwitterSupport) May 3, 2018
The tweet didn’t dive into much detail, but a blog post that accompanied it revealed that developers found a bug that stored passwords “unmasked” in an internal log.
Typically, twitter uses a hashing algorithm called bcrypt to replace the letters and numbers in your password with a nonsensical-looking string of characters that masks the real thing. Hashing allows your credentials to be used for logging in to Twitter and other services, without revealing your password to developers or system admins.
Due to a bug, the passwords were written to an internal log before they were hashed, exposing the plaintext password to Twitter developers.
Twitter reports that it spotted the error itself, and doesn’t appear to have been breached. Representatives also state that they are implementing plans to prevent this sort of thing from happening again.
While the company isn’t forcing users to change passwords at this point, it wouldn’t be a bad idea.
UPDATE May 5 2:13 PST: Twitter is now strongly urging users to change their passwords.