A call from the Twitter support causes a stir: The operators of the social network encourage all users to change their password. Reminiscent of similar Yahoo calls a few years ago – a hack hit over 500 million user accounts.
However, Twitter is not a hack, mind you. According to Twitter in its statement, the failure was due to an error in the hashing system that masks the passwords, where through a function is known as bcrypt, the real password is replaced with a random set of numbers and letters that are stored in the company’s database.
Well, this error caused the passwords to be stored inside the internal registry before going through the hashing process, that is, in plain text. After founding the bug, Twitter removed the passwords from the registry.
We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password. https://t.co/RyEDvQOTaZ
— Twitter Support (@TwitterSupport) May 3, 2018
Twitter ensures that the first results of its investigation indicated that the information did not leave its system and therefore was not exposed. However, so far they cannot guarantee it, and hence they ask us to take precautions and change our password as soon as possible.
Twitter did not provide more specific details, such as the time of the passwords were exposed or the actual number of affected users. But when they see that they ask all their users, more than 330 million, to change their passwords, this could mean that it was a big mistake.
Twitter insisted that the likelihood of the passwords have been exposed is “extremely low,” and so far their internal investigation shows no signs of misuse. Also, the company recommends activating two-step authentication, as well as using a password manager, which are additional security filters that could help mitigate the possible risks of this type of error.
Further investigation may reveal different findings. It doesn’t matter right now, if you’re a Twitter user and if you didn’t take my advice to change your password yet, go do it now!