twitterlogoTwitter is suggesting that all Twitter users update their passwords following a glitch that exposed some passwords in plaintext on its internal network.

As outlined in a blog post, Twitter says that it recently found a bug that "stored passwords unmasked in an internal log." The bug was fixed, and an internal investigation shows that there was no breach or misuse.

We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter's system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard.

Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.

Despite the fact that no one appears to have accessed the plaintext passwords, Twitter is recommending that all users "consider" changing their passwords "out of an abundance of caution" both on Twitter and on any other site where the same password was used.

If you're a Twitter user, you can change your password on the web by accessing your Twitter settings and selecting the password option. You will need to enter a current password and then choose a new one. In the Twitter iOS app, you'll need to sign out to initiate a password change.

Using a unique password for every login is the best way to make sure you stay secure in the event of a data breach, something best managed with an app like 1Password or LastPass.

Twitter is recommending users choose a unique, strong password and then protect their accounts with two factor authentication.

Tag: Twitter

Top Rated Comments

benface Avatar
60 months ago
THAT’s how you handle a situation like that.
Score: 21 Votes (Like | Disagree)
barkomatic Avatar
60 months ago
Ah, celebrities take note. For a limited time, you can claim that you didn't actually post that tweet yourself but rather someone hacked into your account due to this mistake!
Score: 14 Votes (Like | Disagree)
Porco Avatar
60 months ago
Oh no, it won't let me add a password of more than 280 characters! ;)
Score: 11 Votes (Like | Disagree)
OldSchoolMacGuy Avatar
60 months ago
All of those commenting about firing the person responsible, are completely ignorant to how the business world and technology works.

Software has bugs. There are mistakes. If you fired everyone that made a mistake, you'd set a precedent that would instill fear in everyone else. No one would want to dare make a single mistake, for fear of losing their job and thus everything grinds to a halt.

These companies have become what they are by innovating and pushing forward. You fire people for mistakes (look up the definition, I didn't say malice) then you'd either fire everyone or stop all growth and progress.

People responsible in these situations aren't fired. That's simply not how it works.
Score: 7 Votes (Like | Disagree)
dougc84 Avatar
60 months ago
My question is why the plaintext password is even sent to them for password resets. There's zero reason for that. Shouldn't it just be validated and hashed by the webpage's script before sending?
There is no hashing done by web page scripts unless the site you are on uses Javascript for both the front end and back end (such as with React, node.js, etc.). Twitter is not one of those sites. However, values are encrypted over the line due to the SSL certificate (why you see HTTPS in the browser), but those values are decrypted on the server. The web server has to handle them somehow, and certainly can't validate anything, create new records (tweets, users, etc.) or update anything (such as your user profile) if it's just garbled encryption. It is not plaintext over the line.

This is inexcusable. Which developer had the bright idea to store passwords to a log file? That should never happen, ever. There's no reason for it.
Twitter was built on Ruby on Rails. It has, I believe, since migrated to another platform, but many of the concepts still remain, regardless of framework used. In Rails, for example, everything is logged - all parameters sent from a form (login info, new tweet message, profile settings, etc.) go to the log file, as well as database transactions and manual log messages.

In real world applications, regardless of programming framework used, logging either goes to an actual file on the drive of a server, or to a drain that feeds the log line-by-line to a service (so it can be searched or you can receive alerts on errors, etc.). There are also multiple levels of logging depending on what needs priority - everything from fatal and error messages that have higher priority, to info and debug messages for general system events. Things like this would have been an info message with parameters received from a client, POSTing to a particular endpoint. Those basic info and debug messages can be omitted from production logs, which does make debugging errors more difficult, but is often done for security purposes (the "use a sledgehammer to hammer in a nail" approach).

In most cases, the application framework employs sanitizers to mask sensitive parameters from being sent to the log (i.e. passwords, credit card numbers, social security numbers, etc.). This happens in a configuration file that isn't touched often, if ever, after the application is deployed on a website. Additionally, masking sensitive parameters occurs in production but not always in local development, since building, updating, or fixing features requires a higher level of knowledge of what's going on vs. once something has gone live.

My guess is they either accidentally turned off the sanitizer, changed the password field name or are using an alias field name to prevent bots (most likely case), or never masked it in the first place and decreased the log level for debugging purposes. It's a simple mistake that isn't easily apparent.

In any case, this happened on their end, they noticed it, and they let us know. There's no indication that anything has actually been accessed. And, even still, with most accounts using 2FA, most users staying perpetually logged in, and with API keys being how external applications authenticate to your Twitter account (not with your password), the likelihood of your password even showing up in the log is very slim anyway. I'm not saying you shouldn't change your password (because you absolutely should), but this sounds much scarier than it actually is.
Score: 6 Votes (Like | Disagree)
Apple_Robert Avatar
60 months ago
I have Two Factor Authentication turned on with my Twitter account. If they had my password, it is useless to them.
Score: 5 Votes (Like | Disagree)

Popular Stories

Emergency SOS via Satellite iPhone YT

Apple's iPhone 14 Emergency SOS via Satellite Feature Saves Stranded Man in Alaska

Thursday December 1, 2022 4:37 pm PST by
With the launch of iOS 16.1, Apple rolled out a Emergency SOS via Satellite, which is designed to allow iPhone 14 owners to contact emergency services using satellite connectivity when no cellular or WiFi connection is available. The feature was put to the test in Alaska today, when a man became stranded in a rural area. In the early hours of the morning on December 1, Alaska State Troopers ...
iPhone Measure Height

Newer iPhones Allow You to Measure Someone's Height Instantly — Here's How

Saturday December 3, 2022 10:23 am PST by
iPhone 12 Pro and Pro Max, iPhone 13 Pro and Pro Max, and iPhone 14 Pro and Pro Max models feature a LiDAR Scanner next to the rear camera that can be used to measure a person's height instantly in Apple's preinstalled Measure app. To measure a person's height, simply open the Measure app, point your iPhone at the person you want to measure, and make sure they are visible on the screen from...
General iOS 16 Feature Yellow

iOS 16.2 for iPhone Launching This Month With These 8 New Features

Thursday December 1, 2022 8:44 am PST by
Apple plans to publicly release iOS 16.2 for the iPhone in mid-December, according to Bloomberg's Mark Gurman. The update remains in beta testing for now, with at least eight new features and changes already uncovered so far. iOS 16.2 introduces a number of new features, including Apple's new whiteboard app Freeform, two new Lock Screen widgets for Sleep and Medications, the ability to hide...
iOS 16

When Will iOS 16.2 Be Released?

Friday December 2, 2022 2:13 pm PST by
Apple in late October began testing iOS 16.2 and iPadOS 16.2 updates, providing betas to both developers and public beta testers. As of now, we've had four total betas, with the fourth beta having been released earlier this week. iOS 16.2 and iPadOS 16.2 are expected before the end of the year, and we thought we'd try to narrow down the launch timeline. With only four betas released since...
14 vs 16 inch mbp m2 pro and max feature 1

Major RAM Upgrade Coming to Next-Generation MacBook Pro

Friday December 2, 2022 2:03 am PST by
The next-generation MacBook Pro models could feature faster RAM, according to a recent report from a reliable source. MacRumors Forums member "Amethyst," who accurately revealed details about the Mac Studio and Studio Display before those products were announced, recently provided information about Apple's upcoming 14- and 16-inch MacBook Pro models. The new machines are expected to feature...
iPad 10 Battery Pull Tabs

iPad 10 Teardown Reveals Why Device Isn't Compatible With Apple Pencil 2

Thursday December 1, 2022 10:48 am PST by
Do-it-yourself repair website iFixit today shared a video teardown of Apple's new 10th-generation iPad, providing a closer look inside the tablet and revealing why the device lacks support for the second-generation Apple Pencil. The teardown reveals the internal layout of the iPad, including its two-cell 7,606 mAh battery, logic board with the A14 Bionic chip, and more. As suspected, the...
android apple fix rcs

Google Again Criticizes Apple for Not Adopting RCS for Messages App: 'Their Texting is Stuck in the 1990s'

Friday December 2, 2022 10:54 am PST by
Google is continuing on with its attempt to convince Apple to adopt the RCS messaging standard, publishing a new "it's time for RCS" blog post. Promoted heavily by Google, RCS or Rich Communication Services is a messaging standard that is designed to replace the current SMS messaging standard. It provides support for higher resolution photos and videos, audio messages, and bigger file sizes, ...
ios 16 2 beta notifiation center

PSA: Older Notifications No Longer Hidden in Notification Center in iOS 16.2 Beta 4

Friday December 2, 2022 5:23 am PST by
In a small but significant change to the way the Notification Center works in the latest iOS 16.2 beta, older notifications are now shown by default without having to swipe up. In the current release as well as earlier versions of iOS 16, users do not automatically see older notifications in the Notification Center like they did in iOS 15, and instead must manually swipe up from the middle...
lastpass

LastPass Hacked for Second Time This Year

Friday December 2, 2022 4:04 am PST by
Password management app LastPass says it is investigating a security incident after an "unauthorized party" compromised its systems on Wednesday and gained access to some customer information. The information was stored in a third-party cloud service shared by LastPass and parent company GoTo, said LastPass CEO Karim Toubba in a blog post. Toubba said the hackers used information stolen from ...
Apple Card Savings

Apple Card Customer Agreement Updated for 'Upcoming' Savings Account Feature

Friday December 2, 2022 11:43 am PST by
Goldman Sachs this week updated its Apple Card customer agreement to reflect the credit card's upcoming Daily Cash savings account feature, which was expected to launch with iOS 16.1 but appears to have been delayed. "To enable new ways to use Daily Cash like the upcoming Savings account feature, we are updating the Daily Cash Program section of your Apple Card Customer Agreement," reads an...