Nicolas Asfouri/Getty Images

Twitter is advising users to change their passwords after discovering a glitch that stored passwords unmasked in an internal log. The company says it fixed the bug and there is no indication of a breach or misuse.

Still, it's urging its 330 million users to change their passwords as a precaution.

We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password. https://t.co/RyEDvQOTaZ — Twitter Support (@TwitterSupport) May 3, 2018

The issue appeared through a bug in Twitter's password hashing. It's a standard security practice for companies to encrypt passwords to store on its internal servers. So if your password is "12345" -- which we highly recommend against -- it wouldn't show up on the website's database as "12345," but rather a random mix of numbers and letters representing each character.

Twitter said it stored encrypted passwords using a hashing algorithm called bcrypt. But the social network had stored the password in plain-text before it was encrypted. Twitter said this happened because of a bug. The company did not respond to a request for comment to clarify what the bug was.

The company's CEO, Jack Dorsey, said in a tweet the bug caused the account passwords to be "written to an internal log before completing a masking/hashing process."

Those passwords were kept on an internal log before Twitter discovered and deleted them. The company said it was "implementing plans to prevent this bug from happening again."

Cybersecurity slip-ups can have major impacts when it's from companies holding information on millions of people. The Equifax breach, which lost data on 147.7 million Americans' social security numbers, also didn't have its data encrypted internally. If Twitter had suffered a breach, hashed passwords would have provided an extra layer of protection. Storing passwords in plain text creates a major security issue as it gives potential hackers easy access to sensitive information.

"If all the 330 million passwords were stored in clear text in an internal log then it's not really a bug but a design flaw," Archie Agarwal, CEO of ThreatModeler, a cybersecurity company, said. "It also appears this has been there for a very long time, another reason why they are asking everyone and not few users to change their password."

Twitter did not comment on how long the bug existed until they discovered the flaw.

While Twitter said it doesn't believe the passwords had been lost in a breach or misused, passwords on internal logs are designed to be encrypted so that employees with access at the company can't see it either. While advising users to change their passwords as a precaution, Twitter has also been downplaying the effects of the bug.

"I'd emphasize that this is not a breach and our investigation shows no signs of misuse. As such, we are sharing the information so people can make an informed decision on their account security," a Twitter spokeswoman said.

Twitter's chief technology officer Parag Agrawal followed a similar tone, writing in a tweet, "We are sharing this information to help people make an informed decision about their account security. We didn't have to, but believe it's the right thing to do."

Users are getting a prompt to change their password when they log into Twitter.

CNET

Passwords are supposed to only be stored in their hashed versions so that in the event of a breach, the hacker will have much more trouble gaining access to millions of accounts. T-Mobile Austria landed in hot water in April after admitting that it had stored passwords in partial plain text. GitHub, a code repository website, also suffered a similar bug where passwords were accidentally stored in plaintext.

First published May 3, 1:19 p.m. PT

Updates, 1:31 p.m.: Adds details on Twitter's password bug; 1:42 p.m.: Includes details on plain-text passwords; 1:52 p.m.: Adds statements from Twitter's chief technology officer; 2:17 p.m.: Includes analysis from a security expert.