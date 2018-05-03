Nicolas Asfouri/Getty Images

Twitter is advising users to change their passwords after discovering a glitch that stored passwords unmasked in an internal log. The company says it fixed the bug and that there's no indication of a breach or misuse.

Still, it's urging its 330 million users to change their passwords as a precaution.

We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password. https://t.co/RyEDvQOTaZ — Twitter Support (@TwitterSupport) May 3, 2018

The issue appeared through a bug in Twitter's password hashing. It's standard security practice for companies to encrypt passwords to store on an internal server. So, if your password was "12345" -- which we highly recommend against -- it wouldn't show up on the website's database as "12345," but rather as a random mix of numbers and letters representing each character.

Twitter said it stored encrypted passwords using a hashing algorithm called bcrypt. But the social network had stored the passwords in plaintext before they were encrypted. Twitter said this happened because of a bug. The company didn't respond to a request for details.

Twitter CEO Jack Dorsey said in a tweet that the bug caused the account passwords to be "written to an internal log before completing a masking/hashing process."

The company said it deleted the log after discovering it and that Twitter is "implementing plans to prevent this bug from happening again."

Cybersecurity slipups can have major effects when they involve companies that hold information on millions of people. The Equifax breach, in which 147.7 million Americans' Social Security numbers were exposed, also involved data that hadn't been encrypted internally. If Twitter had suffered a breach, hashed passwords would've provided an extra layer of protection. Storing passwords in plaintext creates a major security issue, as it gives potential hackers easy access to sensitive information.

"If all the 330 million passwords were stored in clear text in an internal log, then it's not really a bug but a design flaw," said Archie Agarwal, CEO of cybersecurity company ThreatModeler. "It also appears this has been there for a very long time -- another reason why they are asking everyone and not just a few users to change their password."

Twitter didn't comment on how long the bug existed before it was discovered.

Though Twitter said it doesn't think the passwords were lost in a breach or misused, passwords on internal logs are designed to be encrypted so employees with access at the company can't see them either. While advising users to change their passwords as a precaution, Twitter has been downplaying the effects of the bug.

"I'd emphasize that this is not a breach and our investigation shows no signs of misuse. As such, we are sharing the information so people can make an informed decision on their account security," a Twitter spokeswoman said.

Twitter's chief technology officer, Parag Agrawal, adopted a similar tone, writing in a tweet, "We are sharing this information to help people make an informed decision about their account security. We didn't have to, but believe it's the right thing to do."

Agrawal later apologized for his statement, pointing out that it was a mistake to say "we didn't have to."

Users are getting a prompt to change their password when they log in to Twitter.

CNET

"The risk that your password had been compromised is in a category of low to intermediate. However, it is advised to change your password, because no one is aware so far, how long that logging had been in place," Martin Hron, a security researcher for Avast, an antivirus company, said.

Passwords are supposed to be stored only in their hashed versions so that in the event of a breach, the hacker will have much more trouble gaining access to millions of accounts. T-Mobile Austria landed in hot water in April after admitting that it had stored passwords in partial plaintext. GitHub, a code repository website, also suffered a similar bug where passwords were accidentally stored in plaintext.

