Twitter Warns Users To Change All Their Passwords After Finding Bug

An “internal defect” led users’ account passwords to be stored in an internal log, the company said.
Twitter users received an alert from the company on May 3 directing them to change their passwords.
Twitter users received an alert from the company on May 3 directing them to change their passwords.
Bloomberg via Getty Images

Twitter is urging its more than 330 million users to change their passwords after it discovered a bug in its system that inadvertently stored account passwords in an internal log.

The company's CEO, Jack Dorsey, called the glitch an "internal defect."

Twitter users on Thursday received an alert from the company explaining the issue and directing them to their account settings so they could change their passwords.

In a linked blog post, the company apologized for the problem.

"We are very sorry this happened," said Twitter's chief technology officer, Parag Agrawal. "We recognize and appreciate the trust you place in us, and are committed to earning that trust every day."

The company fixed the bug, deleted the stored passwords and launched an investigation that showed no signs of a breach or data misuse, according to Agrawal.

Still, "out of an abundance of caution," the company said, it recommended that users change their passwords not only for Twitter but also for any other accounts with the same password.

Twitter said a bug caused users' passwords to be stored in an internal log.
Twitter said a bug caused users' passwords to be stored in an internal log.
Twitter

The bug affected a process called hashing, which Twitter uses to mask users' passwords by cryptographically converting them to different number and letter combinations before storing them.

Twitter uses the masked passwords to validate users' account credentials.

"This is an industry standard," Argawal said.

However, the bug discovered by the company caused the passwords to be stored in an internal log before they were masked.

Argawal said that Twitter has "no reason to believe password information ever left Twitter's systems or was misused by anyone" but recommended that users take extra steps to secure their accounts, including two-factor authentication and using different passwords for separate accounts.

He received some backlash from Twitter users after he tweeted that the company "didn't have to" tell users that their passwords had been stored in plain text in its system.

Agrawal later admitted he made a mistake by saying that Twitter didn't have to inform users of the issue. Dorsey praised Argawal's response, adding, "I love my teammates."

Close

What's Hot