Bekker's Blog

Blog archive

Twitter's Password Exposure Admission

Twitter made a costly admission on Thursday afternoon. The company's stock took an after-hours hit as investors digested a company Tweet and blog post revealing that Twitter had discovered an internal bug that resulted in user passwords being stored unencrypted on an internal log.

Twitter CTO Parag Agrawal encouraged the service's 330 million users to consider changing their Twitter passwords on all services where they've used it. Agrawal said the move came "out of an abundance of caution" and emphasized that Twitter has no reason to believe the passwords ever left company systems or that they were misused.

In other words, this wasn't a breach, and you're not about to get an alert from

"We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter's system. This allows our systems to validate your account credentials without revealing your password," Agrawal wrote.

"Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again," he said.

Judging by the current public information, Twitter is handling this the right way. Changing Twitter passwords on all of our devices will be a pain -- who enjoys typing a secure password into a smartphone, after all? It's worth the annoyance.

Everybody makes configuration mistakes. Assuming that's all this is, Twitter might have been able to get away with hiding an internal flub like this that hasn't resulted in an actual known breach of passwords.

Getting the word out is respectful of the user base. It also protects Twitter in our current advanced persistent threat environment. If it turns out later that some APT was inside Twitter's systems unbeknownst to the company, the rest of us will have had a fair opportunity to secure our accounts.

So go change those passwords.

Posted by Scott Bekker on 05/03/2018 at 3:25 PM


  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.