twitterlogoTwitter is suggesting that all Twitter users update their passwords following a glitch that exposed some passwords in plaintext on its internal network.

As outlined in a blog post, Twitter says that it recently found a bug that "stored passwords unmasked in an internal log." The bug was fixed, and an internal investigation shows that there was no breach or misuse.

We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter's system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard.

Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.

Despite the fact that no one appears to have accessed the plaintext passwords, Twitter is recommending that all users "consider" changing their passwords "out of an abundance of caution" both on Twitter and on any other site where the same password was used.

If you're a Twitter user, you can change your password on the web by accessing your Twitter settings and selecting the password option. You will need to enter a current password and then choose a new one. In the Twitter iOS app, you'll need to sign out to initiate a password change.

Using a unique password for every login is the best way to make sure you stay secure in the event of a data breach, something best managed with an app like 1Password or LastPass.

Twitter is recommending users choose a unique, strong password and then protect their accounts with two factor authentication.

Tag: Twitter

Top Rated Comments

benface Avatar
94 months ago
THAT’s how you handle a situation like that.
Score: 21 Votes (Like | Disagree)
barkomatic Avatar
94 months ago
Ah, celebrities take note. For a limited time, you can claim that you didn't actually post that tweet yourself but rather someone hacked into your account due to this mistake!
Score: 14 Votes (Like | Disagree)
Porco Avatar
94 months ago
Oh no, it won't let me add a password of more than 280 characters! ;)
Score: 11 Votes (Like | Disagree)
OldSchoolMacGuy Avatar
94 months ago
All of those commenting about firing the person responsible, are completely ignorant to how the business world and technology works.

Software has bugs. There are mistakes. If you fired everyone that made a mistake, you'd set a precedent that would instill fear in everyone else. No one would want to dare make a single mistake, for fear of losing their job and thus everything grinds to a halt.

These companies have become what they are by innovating and pushing forward. You fire people for mistakes (look up the definition, I didn't say malice) then you'd either fire everyone or stop all growth and progress.

People responsible in these situations aren't fired. That's simply not how it works.
Score: 7 Votes (Like | Disagree)
dougc84 Avatar
94 months ago
My question is why the plaintext password is even sent to them for password resets. There's zero reason for that. Shouldn't it just be validated and hashed by the webpage's script before sending?
There is no hashing done by web page scripts unless the site you are on uses Javascript for both the front end and back end (such as with React, node.js, etc.). Twitter is not one of those sites. However, values are encrypted over the line due to the SSL certificate (why you see HTTPS in the browser), but those values are decrypted on the server. The web server has to handle them somehow, and certainly can't validate anything, create new records (tweets, users, etc.) or update anything (such as your user profile) if it's just garbled encryption. It is not plaintext over the line.

This is inexcusable. Which developer had the bright idea to store passwords to a log file? That should never happen, ever. There's no reason for it.
Twitter was built on Ruby on Rails. It has, I believe, since migrated to another platform, but many of the concepts still remain, regardless of framework used. In Rails, for example, everything is logged - all parameters sent from a form (login info, new tweet message, profile settings, etc.) go to the log file, as well as database transactions and manual log messages.

In real world applications, regardless of programming framework used, logging either goes to an actual file on the drive of a server, or to a drain that feeds the log line-by-line to a service (so it can be searched or you can receive alerts on errors, etc.). There are also multiple levels of logging depending on what needs priority - everything from fatal and error messages that have higher priority, to info and debug messages for general system events. Things like this would have been an info message with parameters received from a client, POSTing to a particular endpoint. Those basic info and debug messages can be omitted from production logs, which does make debugging errors more difficult, but is often done for security purposes (the "use a sledgehammer to hammer in a nail" approach).

In most cases, the application framework employs sanitizers to mask sensitive parameters from being sent to the log (i.e. passwords, credit card numbers, social security numbers, etc.). This happens in a configuration file that isn't touched often, if ever, after the application is deployed on a website. Additionally, masking sensitive parameters occurs in production but not always in local development, since building, updating, or fixing features requires a higher level of knowledge of what's going on vs. once something has gone live.

My guess is they either accidentally turned off the sanitizer, changed the password field name or are using an alias field name to prevent bots (most likely case), or never masked it in the first place and decreased the log level for debugging purposes. It's a simple mistake that isn't easily apparent.

In any case, this happened on their end, they noticed it, and they let us know. There's no indication that anything has actually been accessed. And, even still, with most accounts using 2FA, most users staying perpetually logged in, and with API keys being how external applications authenticate to your Twitter account (not with your password), the likelihood of your password even showing up in the log is very slim anyway. I'm not saying you shouldn't change your password (because you absolutely should), but this sounds much scarier than it actually is.
Score: 6 Votes (Like | Disagree)
Apple_Robert Avatar
94 months ago
I have Two Factor Authentication turned on with my Twitter account. If they had my password, it is useless to them.
Score: 5 Votes (Like | Disagree)

Popular Stories

iPhone 17 Pro in Hand Feature Lowgo

iPhone 17 Pro to Reverse iPhone X Design Decision

Monday July 7, 2025 9:46 am PDT by
Since the iPhone X in 2017, all of Apple's highest-end iPhone models have featured either stainless steel or titanium frames, but it has now been rumored that this design decision will be coming to an end with the iPhone 17 Pro models later this year. In a post on Chinese social media platform Weibo today, the account Instant Digital said that the iPhone 17 Pro models will have an aluminum...
iOS 26 Feature

Everything New in iOS 26 Beta 3

Monday July 7, 2025 1:20 pm PDT by
Apple is continuing to refine and update iOS 26, and beta three features smaller changes than we saw in beta 2, plus further tweaks to the Liquid Glass design. Apple is gearing up for the next phase of beta testing, and the company has promised that a public beta is set to come out in July. Transparency In some apps like Apple Music, Podcasts, and the App Store, Apple has toned down the...
apple wallet drivers license feature iPhone 15 pro

Apple Says iPhone Driver's Licenses Will Expand to These 8 U.S. States

Tuesday July 8, 2025 11:26 am PDT by
In select U.S. states, residents can add their driver's license or state ID to the Wallet app on the iPhone and Apple Watch, providing a convenient and contactless way to display proof of identity or age at select airports and businesses, and in select apps. Unfortunately, this feature continues to roll out very slowly since it was announced in 2021, with only nine U.S. states, Puerto Rico,...
iphone 16 pro ghost hand

5 Reasons to Skip This Year's iPhone 17 Pro

Thursday July 10, 2025 4:54 am PDT by
Apple will launch its new iPhone 17 series in two months, and the iPhone 17 Pro models are expected to get a new design for the rear casing and the camera area. But more significant changes to the lineup are not expected until next year, when the iPhone 18 models arrive. If you're thinking of trading in your iPhone for this year's latest, consider the following features rumored to be coming...
apple account card feature

Apple Account Card Expanding to More Countries

Tuesday July 8, 2025 7:34 pm PDT by
Apple is expanding the ability to add an Apple Account Card to the Wallet app to more countries, according to backend Apple Pay changes. With iOS 15.5, Apple updated the Wallet app to allow users to add an Apple Account Card, which displays the Apple credit balance associated with an Apple ID. If you receive an Apple gift card, for example, it is added to an Apple Account that is also...
iPhone 17 Pro in Hand Feature Lowgo

Leaker Reveals Amount of RAM in iPhone 17 Through iPhone 17 Pro Max

Wednesday July 9, 2025 8:08 am PDT by
Three out of four iPhone 17 models will feature more RAM than the equivalent iPhone 16 models, according to a new leak that aligns with previous rumors. The all-new iPhone 17 Air, the iPhone 17 Pro, and the iPhone 17 Pro Max will each be equipped with 12GB of RAM, according to Fixed Focus Digital, an account with more than two million followers on Chinese social media platform Weibo. The...
iphone 16 pro models 1

Here's How the iPhone 17 Pro Max Will Compare to the iPhone 17 Pro

Saturday July 5, 2025 1:00 pm PDT by
Apple should unveil the iPhone 17 series in September, and there might be one bigger difference between the Pro and Pro Max models this year. As always, the Pro Max model will be larger than the Pro model:iPhone 17 Pro: 6.3-inch display iPhone 17 Pro Max: 6.9-inch displayGiven the Pro Max is physically larger than the Pro, it has more internal space, allowing for a larger battery and...
imac video apple feature

Apple Launching These 15+ Products Later This Year

Sunday July 6, 2025 8:05 am PDT by
The calendar has turned to July, meaning that 2025 is now more than half over. And while the summer months are often quiet for Apple, the company still has more than a dozen products coming later this year, according to rumors. Below, we have outlined at least 15 new Apple products that are expected to launch later this year, along with key rumored features for each. iPhone 17 Series iPho...