Twitter Urges Password Changes After Exposing ‘Unmasked’ Credentials

Twitter on Thursday warned its users that an internal software bug unintentionally exposed “unmasked” passwords by storing them in an internal log.

Twitter CTO, Parag Agrawal, explained that Twitter hashes passwords using the popular bcrypt function, which replaces an actual password with a random set of numbers and letters, allowing Twitter’s systems to validate credentials without revealing passwords, while also masking them so Twitter employees can’t see them.

“Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again,” Agrawal wrote in a blog post.

Agrawal said the bug has been fixed and an investigation shows no indication of breach or misuse by anyone, but urged users to change their passwords.

“Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password,” Agrawal noted. 

He also suggested that users enable two factor authentication, calling it “the single best action you can take to increase your account security.”