Twitter is urging all 330m of its users to change their passwords after a ‘bug’ left login details unencrypted on an internal log at the company.
As is standard within the industry, the microblogging platform uses a function known as bcrypt to ‘hash’ passwords and make sure no one at the company can see people’s passwords. This function would normally replace actual passwords with random numbers and letters to be stored within Twitter’s system. However, a bug meant passwords were left on an internal log without ever being masked.
Despite Twitter finding the issue had been present for several months before it became aware of the situation, it has found no evidence to suggest that the data had found its way to bad actors. Nonetheless, the company is asking all of its users to update their passwords and to enable login verification – also known as two-factor authentication.
“We recently discovered a bug where account passwords were being written to an internal log before completing a masking/hashing process,” said Jack Dorsey, Twitter CEO, in a tweet. “We’ve fixed, see no indication of breach or misuse, and believe it’s important for us to be open about this internal defect.”