Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Twitter: No big deal, but everyone needs to change their password

Biz does a GitHub, downplays security blunder as log file of credentials left unencrypted

Twitter is ringing in World Password Day by notifying its users, all 330 million of them, that their login credentials were left unencrypted in an internal log file and should be changed.

Chief technology officer Parag Agrawal broke the news on Wednesday that its internal team had found that, while passwords are usually stored scrambled by encryption, some software had caused at least one log file to record them in plaintext.

Twitter logo image

Shocker: Cambridge Analytica scandal touch-paper Aleksandr Kogan tapped Twitter data too

READ MORE

"We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard," Agrawal said of the non-functioning security feature.

"Due to a bug, passwords were written to an internal log before completing the hashing process."

Twitter is stressing that the issue was found in-house by its own engineers, and that so far there are no indications of anyone outside the company being able to even view the file, let alone harvest the passwords.

Still, Twitter is advising everyone who has an account to change their password and do the same with any other site where the password was reused (as a best practice you shouldn't be reusing passwords anyway).

"We are very sorry this happened," Agrawal added. "We recognize and appreciate the trust you place in us, and are committed to earning that trust every day."

The timing of the disclosure is particularly annoying for Twitter, as much of the internet is today observing World Password Day by raising awareness of good password management practices and safe storage.

Certainly this was not the type of exposure Twitter was seeking, particularly as it tries to beef up its protection of user data in the wake of the Cambridge Analytica data-harvesting scandal.

$ git blame

Meanwhile, GitHub suffered a similar blunder: it also dumped its users' account passwords as plaintext into its log files.

"During the course of regular auditing, GitHub discovered that a recently introduced bug exposed a small number of users’ passwords to our internal logging system, including yours," GitHub wrote in an email to its users.

"We have corrected this, but you'll need to reset your password to regain access to your account.

"GitHub stores user passwords with secure cryptographic hashes (bcrypt). However, this recently introduced bug resulted in our secure internal logs recording plaintext user passwords when users initiated a password reset. Rest assured, these passwords were not accessible to the public or other GitHub users at any time.

"Additionally, they were not accessible to the majority of GitHub staff and we have determined that it is very unlikely that any GitHub staff accessed these logs. GitHub does not intentionally store passwords in plaintext format. Instead, we use modern cryptographic methods to ensure passwords are stored securely in production. To note, GitHub has not been hacked or compromised in any way." ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like