330 Million Twitter Users' Passwords Left Out in The Open...

[Hervé]

‘Change your password!’ Twitter urges 330 million users after ‘internal glitch’

RT
Published time: 3 May, 2018 23:08
Edited time: 4 May, 2018 07:10
Get short URL

© Lucas Jackson / Reuters

An internal “bug” left millions of Twitter passwords potentially exposed for months in a plain text file, the company revealed, as it urged hundreds of millions of users to change their passwords as a precaution.

Twitter is supposed to “hash” passwords, using a process called “bcrypt,” before they are stored internally, so the actual passwords are masked for security. A bug caused the passwords to be written down in an internal log before the hashing process was complete, Twitter’s chief technology officer Parag Agrawal wrote in a blog post on Thursday.

“We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone,” Agrawal wrote.

Micah Lee‏Verified account @micahflee

Did Twitter show this to you all too?

2:35 PM - 3 May 2018
70 replies 22 retweets 91 likes

Twitter CEO Jack Dorsey said the company saw “no indication of breach or misuse” of the passwords, which Reuters reported (citing sources within the company), had been left open for “several months.”

The blog post did not say how many accounts may have been affected. According to April 2018 estimates, Twitter has about 330 million active users worldwide. Twitter urged all users to consider changing their password “out of an abundance of caution.”

In addition to changing the Twitter password to something strong and unique, Agrawal urged users to enable login verification and to use a password manager.

Some Twitter users weren’t convinced by Agrawal’s description of the problem as a bug, and also took offense at his explanation that Twitter “didn’t have to” share this information.

• 
  Parag Agrawal‏ @paraga 18h18 hours ago

Parag Agrawal Retweeted Parag Agrawal
I should not have said we didn’t have to share. I have felt strongly that we should. My mistake.

Parag Agrawal added,
Parag Agrawal @paraga
We are sharing this information to help people make an informed decision about their account security. We didn’t have to, but believe it’s the right thing to do. https://twitter.com/twittersupport/s...32808192634881 …
Show this thread
85 replies 72 retweets 343 likes

Rodrigo R. Paz‏ @rodrigorpaz

Replying to @paraga
Why are you calling it a "bug"?. You dumped unencrypted password to a file. You need a code sentence for that. That's not a bug, That's something deliberate. You must clarify what happened, period.

2:46 PM - 3 May 2018
2 replies 7 retweets 23 likes

The news comes after Twitter posted a profitable quarter for the second time in a row, after years of losing money. According to AFP, first-quarter revenue rose to $665 million, 21 percent more than at the same time last year, helped by growth in advertising revenue.