Twitter password bug potentially exposes 330M users, Jack Dorsey says

The company says it hasn't found any indication of a breach or misuse.

Abrar Al-Heeti Technology Reporter

Abrar Al-Heeti is a technology reporter for CNET, with an interest in phones, streaming, internet trends, entertainment, pop culture and digital accessibility. She's also worked for CNET's video, culture and news teams. She graduated with bachelor's and master's degrees in journalism from the University of Illinois at Urbana-Champaign. Though Illinois is home, she now loves San Francisco -- steep inclines and all.

Expertise Abrar has spent her career at CNET analyzing tech trends while also writing news, reviews and commentaries across mobile, streaming and online culture. Credentials

Named a Tech Media Trailblazer by the Consumer Technology Association in 2019, a winner of SPJ NorCal's Excellence in Journalism Awards in 2022 and has three times been a finalist in the LA Press Club's National Arts & Entertainment Journalism Awards.

See full bio

Alfred Ng Senior Reporter / CNET News

Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.

See full bio

Abrar Al-Heeti

Alfred Ng

May 4, 2018 9:43 a.m. PT

3 min read

Twitter is telling its 330 million users to change their passwords after discovering a glitch that stored passwords unmasked in an internal log. The company says it fixed the bug and that there's no indication of a breach or misuse, but it's encouraging the password update as a precaution.

We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password. https://t.co/RyEDvQOTaZ
— Twitter Support (@TwitterSupport) May 3, 2018

The problem happened because of a bug in Twitter's password hashing. It's standard security practice for companies to encrypt or scramble passwords they're storing on an internal server. So, if your password was "12345" -- which we highly recommend against -- it wouldn't show up on the website's internal database as "12345," but rather as a random mix of numbers and letters representing each character.

Twitter said it stored encrypted passwords using a hashing algorithm called bcrypt. But the social network found it had stored the passwords in plaintext before they were encrypted. Twitter said this happened because of a bug.

The company didn't respond to a request for more details.

Twitter CEO Jack Dorsey said in a tweet that the bug caused the account passwords to be "written to an internal log before completing a masking/hashing process." Twitter deleted the log after discovering it and the company told users that it's "implementing plans to prevent this bug from happening again."

Cybersecurity slipups can have major effects when they involve companies that hold information on millions of people. The Equifax breach, in which 147.7 million Americans' Social Security numbers were exposed, also involved data that hadn't been encrypted internally.

If Twitter had been hacked, hashed passwords would've provided an extra layer of protection. Storing passwords in plaintext creates a major security issue, as it gives potential hackers easy access to sensitive information. T-Mobile Austria landed in hot water in April after admitting that it had stored passwords in partial plaintext. GitHub, a code repository website, also suffered a similar bug where passwords were accidentally stored in plaintext.

"If all the 330 million passwords were stored in clear text in an internal log, then it's not really a bug but a design flaw," said Archie Agarwal, CEO of cybersecurity company ThreatModeler. "It also appears this has been there for a very long time -- another reason why they are asking everyone and not just a few users to change their password."

Twitter didn't comment on how long the bug existed before it was discovered.

Though Twitter said it doesn't think the passwords were lost in a breach or misused, passwords on internal logs are encrypted so employees with access at the company can't see them either.

Twitter has been downplaying the effects of the problem.

"I'd emphasize that this is not a breach and our investigation shows no signs of misuse," a Twitter spokeswoman said. "As such, we are sharing the information so people can make an informed decision on their account security."

Twitter Chief Technology Officer Parag Agrawal adopted a similar tone, writing in a tweet, "We are sharing this information to help people make an informed decision about their account security. We didn't have to, but believe it's the right thing to do."

Agrawal later apologized for his statement, pointing out that it was a mistake to say "we didn't have to."

Users are getting a prompt to change their password when they log in to Twitter. You can follow our guide on how to change your Twitter password here.

screen-shot-2018-05-03-at-2-05-49-pm — A Twitter prompt to change your password.
CNET

"The risk that your password had been compromised is in a category of low to intermediate," said Martin Hron, a security researcher for antivirus company Avast. "However, it is advised to change your password, because no one is aware, so far, how long that logging had been in place."

First published May 3, 1:19 p.m. PT
Updates, 1:31 p.m.: Adds details on Twitter's password bug; 1:42 p.m.: Includes details on plaintext passwords; 1:52 p.m.: Adds statements from Twitter's chief technology officer; 2:17 p.m.: Includes analysis from a securityexpert; 2:55 p.m.: Adds follow-up from Twitter; May 4 at 9:43 a.m.: Adds guide to how to change your Twitter password.

Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad of services that will change your life.