Twitter Chief Technology Officer Parag Agrawal has warned users to change their Twitter passwords immediately – after they discovered that the passwords were inadvertently stored in plain text into their internal database system. That is definitely not how it is supposed to be, making accounts of 336 million Twitter user accounts vulnerable to hackers.
On Thursday, Parag Agrawal took it to Twitter blog to warn that it was recommended for all of its 336 million users change their passwords. The recommendation was made after Twitter discovered a bug that mistakenly stored all user account passwords in an unprotected, unencrypted plain text format – which his readable and vulnerable to attacks from hackers. Immediately after finding out the password flaw in a regulatory filing, Twitter fixed the issue and announced that there were no signs that anyone had breached or misused the passwords – good news!
We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password. https://t.co/RyEDvQOTaZ
— Twitter Support (@TwitterSupport) May 3, 2018
However, it is still it is advised you to change your Twitter password right away to make sure that your account and password are safe from any misuse. Explaining the problem that made Twitter take this issue public, Agrawal said that user passwords are protected by scrambling them using a cryptographic method called hashing. For Twitter, they use an advance hashing technique called bcrypt to protect the passwords. But reportedly, a bug made Twitter to accidentally store passwords in plain text format in internal log before its password management system finished hashing them. This means, everything would look fine in the database, but the passwords were visible and readable on the internal log file.
While this has the potential to jeopardise 336 million user’s privacy, it is good that Twitter has found the bug and solved it too. Parag Agrawal apologized for what had happened and ensured that it never happens again. Taking the bug to public and accepting their fault shows goodwill of the company, because Twitter could have simply implemented remediation and hoped for the best. So if you still haven’t changed the password, please do and let Twitter take care of guaranteeing users about the security of their privacy.