Twitter’s issuing a warning call to all 330 million of its users after it discovered a major bug in its systems which exposed everyone’s passwords. It’s not saying how many people specifically got affected by the mistake, but it must be substantial enough if it’s asking all its members to switch over to a new one.
Twitter traditionally encrypts its passwords using a hashing function called bcrypt. This replaces the actual password with a random string of letters and numbers. This is what gets stored in the company’s servers, allowing them to validate logins without having to reveal the password.
As per Twitter’s blog post on the security snafu, passwords were written to an internal log without going through this hashing process. It discovered this error, got rid of the passwords, and is currently implementing plans to make sure this doesn’t happen again. The brand says there was no breach or misuse of the data by malicious attackers.
As we mentioned above, Twitter’s not disclosing how many or whose passcodes were uncovered. A person familiar with the brand’s response told Reuters that the number of passwords exposed was substantial. Even worse, it seems they were out in the open for several months.
The same source claims that Twitter found out about the bug a couple of weeks ago and reported it to some regulators. It’s not clear why the firm waited so long to inform the public their accounts were at risk.
Twitter’s strongly urging users to change their password. It would also be a good idea to do that on any other site where they used the same key. Enabling two factor authentication is a solid idea as well, as is using a password manager to make sure all passcodes are unique and strong.