If you’re using Twitter you should change your password. Because Twitter messed up in a fundamental way. So while there’s no indication that any passwords have been accessed, the social networking service is strongly urging you to change your password.
You Should Probably Heed Twitter’s Advice…
In a blog post titled “Keeping Your Account Secure“, Twitter has owned up to making a rather fundamental error. The error being that passwords were written to an internal log without being hashed. Which potentially exposed them to Twitter employees.
As is standard across the industry, Twitter uses something called hashing to mask passwords. Hashing replaces actual passwords with a set of numbers and letters. So Twitter’s systems can log you in just fine without your password being visible.
According to Twitter, a recently discovered bug meant that passwords were written to an internal log before the hashing process had completed. Twitter found this bug, fixed it, and removed the unhashed passwords from the internal log.
We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password. https://t.co/RyEDvQOTaZ
— Twitter Support (@TwitterSupport) May 3, 2018
However, despite fixing the issue, Twitter is still strongly recommending every single user changes their password as soon as possible. And you may actually have already encountered a warning screen advising you to change your Twitter password.
If Twitter is to be believed—and we have no reason to doubt it—this is just a precautionary measure. In fact, Twitter makes it clear that is has “no reason to believe password information ever left Twitter’s systems or was misused by anyone.”
Mildly Inconveniencing 330 Million People
Twitter deserves credit for coming clean. Naming no names, plenty of companies have sat on data breaches for years, choosing to protect their brand rather than their users. Whereas Twitter has chosen to mildly inconvenience 330 million people instead.
This might be an ideal time to read up on passwords.