An internal “bug” left millions of Twitter passwords potentially exposed for months in a plain text file, the company revealed, as it urged hundreds of millions of users to change their passwords as a precaution.
Twitter is supposed to “hash” passwords, using a process called “bcrypt,” before they are stored internally, so the actual passwords are masked for security. A bug caused the passwords to be written down in an internal log before the hashing process was complete, Twitter’s chief technology officer Parag Agrawal wrote in a blog post on Thursday.
“We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone,” Agrawal wrote.
Twitter CEO Jack Dorsey said the company saw “no indication of breach or misuse” of the passwords, which Reuters reported (citing sources within the company), had been left open for “several months.”
The blog post did not say how many accounts may have been affected. According to April 2018 estimates, Twitter has about 330 million active users worldwide. Twitter urged all users to consider changing their password “out of an abundance of caution.”
In addition to changing the Twitter password to something strong and unique, Agrawal urged users to enable login verification and to use a password manager.
Some Twitter users weren’t convinced by Agrawal’s description of the problem as a bug, and also took offense at his explanation that Twitter “didn’t have to” share this information.
The news comes after Twitter posted a profitable quarter for the second time in a row, after years of losing money. According to AFP, first-quarter revenue rose to $665 million, 21 percent more than at the same time last year, helped by growth in advertising revenue.