Twitter: No big deal, but everyone needs to change their password

Biz does a GitHub, downplays security blunder as log file of credentials left unencrypted

Twitter is ringing in World Password Day by notifying its users, all 330 million of them, that their login credentials were left unencrypted in an internal log file and should be changed.

Chief technology officer Parag Agrawal broke the news on Wednesday that its internal team had found that, while passwords are usually stored scrambled by encryption, some software had caused at least one log file to record them in plaintext.

Twitter logo image

Shocker: Cambridge Analytica scandal touch-paper Aleksandr Kogan tapped Twitter data too


"We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system. This allows our systems to validate your account credentials without revealing your password. This is an industry standard," Agrawal said of the non-functioning security feature.

"Due to a bug, passwords were written to an internal log before completing the hashing process."

Twitter is stressing that the issue was found in-house by its own engineers, and that so far there are no indications of anyone outside the company being able to even view the file, let alone harvest the passwords.

Still, Twitter is advising everyone who has an account to change their password and do the same with any other site where the password was reused (as a best practice you shouldn't be reusing passwords anyway).

"We are very sorry this happened," Agrawal added. "We recognize and appreciate the trust you place in us, and are committed to earning that trust every day."

The timing of the disclosure is particularly annoying for Twitter, as much of the internet is today observing World Password Day by raising awareness of good password management practices and safe storage.

Certainly this was not the type of exposure Twitter was seeking, particularly as it tries to beef up its protection of user data in the wake of the Cambridge Analytica data-harvesting scandal.

$ git blame

Meanwhile, GitHub suffered a similar blunder: it also dumped its users' account passwords as plaintext into its log files.

"During the course of regular auditing, GitHub discovered that a recently introduced bug exposed a small number of users’ passwords to our internal logging system, including yours," GitHub wrote in an email to its users.

"We have corrected this, but you'll need to reset your password to regain access to your account.

"GitHub stores user passwords with secure cryptographic hashes (bcrypt). However, this recently introduced bug resulted in our secure internal logs recording plaintext user passwords when users initiated a password reset. Rest assured, these passwords were not accessible to the public or other GitHub users at any time.

"Additionally, they were not accessible to the majority of GitHub staff and we have determined that it is very unlikely that any GitHub staff accessed these logs. GitHub does not intentionally store passwords in plaintext format. Instead, we use modern cryptographic methods to ensure passwords are stored securely in production. To note, GitHub has not been hacked or compromised in any way." ®

Similar topics

Other stories you might like

Biting the hand that feeds IT © 1998–2021