[BreachExchange] Twitter urges all 336M users to reset passwords due to hashing bug

Audrey McNeil audrey at riskbasedsecurity.com
Thu May 3 19:36:59 EDT 2018


The company revealed the issue in a post to its official blog and a tweets
from Twitter Support. CEO Jack Dorsey and Twitter's official account
retweeted the Twitter Support message shortly after it went live, while CTO
Parag Agrawal tweeted an apology.

Full details are unknown, but Twitter says the recently discovered bug
allowed user passwords to be stored to an internal log without first being
protected, or masked, by a hashing process known as bcrypt. The industry
standard security protocol replaces a passcode with random numbers and
letters, and its absence suggests Twitter was logging passwords in plain

Twitter has since fixed the glitch and is working to implement safeguards
to prevent similar incidents from occurring in the future.

"We've fixed, see no indication of breach or misuse, and believe it's
important for us to be open about this internal defect," Dorsey said in a

How long the bug was left undetected and how many passwords were affected
by the glitch is unknown, but the company does not believe sensitive
information left its internal servers or was harvested by a nefarious third
party. According to Reuters, a person familiar with the matter said the
number of passwords impacted by the bug is "substantial," adding that the
information was exposed "for months." Twitter began to inform regulators of
the bug when it was discovered a few weeks ago, the person said.

As a precautionary measure, Twitter is urging users to reset their Twitter
passwords and any other service where the same code was used. The company
also suggests using two-factor authentication and a password manager.

Following today's revelations, some users navigating to the service's
homepage are seeing a pop-up message that includes notification of the
problem and a direct link to system settings, where passwords can be

While not a security breach, Twitter's password glitch adds to a growing
pile of high-profile snafus from tech companies trusted with protecting
user data. In many cases, services are targeted by hackers in an attempt to
cull personal information. For example, MyFitnessPal in March suffered a
breach that exposed usernames, email addresses and passwords of some 150
million accounts.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180503/4a32e184/attachment.html>

More information about the BreachExchange mailing list