Twitter's Password Exposure Admission
Twitter made a costly admission on Thursday afternoon. The company's stock took an after-hours hit as investors digested a company Tweet and blog post revealing that Twitter had discovered an internal bug that resulted in user passwords being stored unencrypted on an internal log.
Twitter CTO Parag Agrawal encouraged the service's 330 million users to consider changing their Twitter passwords on all services where they've used it. Agrawal said the move came "out of an abundance of caution" and emphasized that Twitter has no reason to believe the passwords ever left company systems or that they were misused.
In other words, this wasn't a breach, and you're not about to get an alert from haveibeenpwned.com.
"We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter's system. This allows our systems to validate your account credentials without revealing your password," Agrawal wrote.
"Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again," he said.
Judging by the current public information, Twitter is handling this the right way. Changing Twitter passwords on all of our devices will be a pain -- who enjoys typing a secure password into a smartphone, after all? It's worth the annoyance.
Everybody makes configuration mistakes. Assuming that's all this is, Twitter might have been able to get away with hiding an internal flub like this that hasn't resulted in an actual known breach of passwords.
Getting the word out is respectful of the user base. It also protects Twitter in our current advanced persistent threat environment. If it turns out later that some APT was inside Twitter's systems unbeknownst to the company, the rest of us will have had a fair opportunity to secure our accounts.
So go change those passwords.
Posted by Scott Bekker on 05/03/2018 at 3:25 PM