14 DAY TRIAL // Twitter urged users on Thursday to immediately change their passwords after discovering an internal bug in its systems which revealed the passwords of millions of Twitter users in plain text.
The microblogging site says in a blog post that it discovered a bug in their systems designed to encrypt users' passwords, which first exposed the passwords in plain text before the hashing process began. The passwords of millions of Twitter users were stored unmasked in an internal log accessible to some employees.
"Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again," said Twitter. "Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password."
Twitter said they use an industry standard method to mask passwords for their over 330 million users worldwide, called hashing. The password hashing process uses a function known as bcrypt, designed to replace the actual password with random characters, which are stored in Twitter's systems. This makes is possible to validate account credentials without revealing the passwords.
Twitter fixed the bug, but you still need to change your password
Twitter said that the bug is now fixed and the plain-text passwords have been removed from their systems. After an internal investigation, they discovered that there's no indication of a breach or misuse by anyone. In any case, they still recommend that you change your Twitter passwords as soon as possible and also enable the two-factor authentication for stronger security.
To change your Twitter password, simply access twitter.com, click on your avatar on the right side of the screen to open the menu, then click on "Settings and privacy." Go to the "Password" section, input your current password in the first field and the new password twice in the following fields. Save the changes, log out of twitter.com by clicking on your avatar, and login again with your new password.
Twitter recommends that you use a unique password for your Twitter account, a password that you don't use for any of your other online accounts, including emails, especially the email address assigned to your Twitter account. Also, you should enable the two-factor authentication, a setting that can be found in Account Settings, under Security -> Login verification.
