Bekker's Blog

Blog archive

Twitter's Password Exposure Admission

Twitter made a costly admission on Thursday afternoon. The company's stock took an after-hours hit as investors digested a company Tweet and blog post revealing that Twitter had discovered an internal bug that resulted in user passwords being stored unencrypted on an internal log.

Twitter CTO Parag Agrawal encouraged the service's 330 million users to consider changing their Twitter passwords on all services where they've used it. Agrawal said the move came "out of an abundance of caution" and emphasized that Twitter has no reason to believe the passwords ever left company systems or that they were misused.

In other words, this wasn't a breach, and you're not about to get an alert from

"We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter's system. This allows our systems to validate your account credentials without revealing your password," Agrawal wrote.

"Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again," he said.

Judging by the current public information, Twitter is handling this the right way. Changing Twitter passwords on all of our devices will be a pain -- who enjoys typing a secure password into a smartphone, after all? It's worth the annoyance.

Everybody makes configuration mistakes. Assuming that's all this is, Twitter might have been able to get away with hiding an internal flub like this that hasn't resulted in an actual known breach of passwords.

Getting the word out is respectful of the user base. It also protects Twitter in our current advanced persistent threat environment. If it turns out later that some APT was inside Twitter's systems unbeknownst to the company, the rest of us will have had a fair opportunity to secure our accounts.

So go change those passwords.

Posted by Scott Bekker on 05/03/2018 at 3:25 PM


  • Microsoft Shifting Away from Office 365 Brand Name in April

    Microsoft on Monday announced coming product naming changes, where "Office 365" is mostly getting replaced by the "Microsoft 365" brand.

  • Microsoft Grows Services Amid COVID-19

    Microsoft in a Saturday announcement recapped how its services have been affected by "shelter-in-place" governmental mandates in the last week, providing details on growth stats and prioritizations.

  • Microsoft Adds 6 More Months to Expiring Certification Programs

    Microsoft has announced an extension to the end date of three certification programs slated for retirement.

  • Microsoft's Surface Pro X: It's Like the Surface RT, But Better

    There's a lot about the Surface Pro X that's reminiscent of the ill-fated Surface RT. But despite the similarities, this might just be one of the rare cases where the sequel is better than the original.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.