Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Twitter Urges Password Changes After Exposing ‘Unmasked’ Credentials

Twitter on Thursday warned its users that an internal software bug unintentionally exposed “unmasked” passwords by storing them in an internal log.

Twitter on Thursday warned its users that an internal software bug unintentionally exposed “unmasked” passwords by storing them in an internal log.

Twitter CTO, Parag Agrawal, explained that Twitter hashes passwords using the popular bcrypt function, which replaces an actual password with a random set of numbers and letters, allowing Twitter’s systems to validate credentials without revealing passwords, while also masking them so Twitter employees can’t see them.

“Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again,” Agrawal wrote in a blog post.

Agrawal said the bug has been fixed and an investigation shows no indication of breach or misuse by anyone, but urged users to change their passwords.

“Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password,” Agrawal noted. 

He also suggested that users enable two factor authentication, calling it “the single best action you can take to increase your account security.”

Advertisement. Scroll to continue reading.
Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.