By Elton Gomes
In a sudden scare for all Twitter users, on Thursday, the social media giant said that it had discovered a bug that exposed all 330 million users’ passwords in plain text. In a tweet, the company stated that there was “no indication of breach or misuse by anyone.”
Twitter advised users “as a precaution” to consider “changing your password.” The company urged users to change their passwords used on the site, and other places, where the same password might have been used, including apps like TweetDeck and Twitterrific.
Parag Agrawal, Twitter’s chief technology officer, wrote in a blog post: “We recognise and appreciate the trust you place in us, and are committed to earning that trust every day,” the Guardian reported.
Here’s what happened
According to Agrawal’s post, Twitter masks passwords via a process called hashing, which uses a function known as bcrypt. This function “replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system.”
This procedure enables Twitter to validate users’ accounts without revealing their passwords. However, due to the vulnerability discovered within the system, instead of passwords being masked, they were allegedly being saved in plain text form, in an internal log. he Verge, Twitter claimed to have found the bug on its own, and has removed the passwords. The company is working to ensure that similar problems do not arise in the future.
The company did not specify how many passwords were stored during the “breach,” and refused to comment on when the bug was discovered, and how many passwords were affected. Although Twitter reiterated that “this is not a breach,” the company’s shares suffered a setback, and dropped as much as 2.7% in after-hours trading after the bug was disclosed.
Phil Libin, a venture capitalist, told Live Mint: “Twitter’s misstep is disturbing because there’s no reason for companies to store user passwords in plain text, even in internal files.” Libin wrote in a tweet: “This is not a breach. It’s significantly worse.”
Libin derided Twitter for its negligence: “This kind of bug seems grossly negligent at best. There’s no reason for a plaintext password to ever be written to a file. It’s not even the lazy way to code a password handler. It took effort to make this mistake,” as reported by Live Mint.
Why you should care
This development comes just two days after Twitter acknowledged having granted access of large-scale public Twitter data to a former researcher at Cambridge Analytica.
It seems highly unlikely that a company of Twitter’s stature might allow a bug to surface. However, this seems to be an opportunity for users to be more vigilant concerning passwords for social media accounts. To ensure cyber security during potential data breaches, Twitter suggests users to apply stronger passwords. Another way to secure yourself is to keep changing passwords on a regular basis. Apps that store multiple passwords can also come in handy.
Stay updated with all the insights.
Navigate news, 1 email day.
Subscribe to Qrius
