Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Twitter urges all 336M users to reset passwords due to hashing bug

Last updated

Twitter on Thursday issued a security alert recommending its 336 million users change their passwords, the result of an apparent bug that caused some codes to be stored unprotected on an internal log.

The company revealed the issue in a post to its official blog and a tweets from Twitter Support. CEO Jack Dorsey and Twitter's official account retweeted the Twitter Support message shortly after it went live, while CTO Parag Agrawal tweeted an apology.

Full details are unknown, but Twitter says the recently discovered bug allowed user passwords to be stored to an internal log without first being protected, or masked, by a hashing process known as bcrypt. The industry standard security protocol replaces a passcode with random numbers and letters, and its absence suggests Twitter was logging passwords in plain text.

Twitter has since fixed the glitch and is working to implement safeguards to prevent similar incidents from occurring in the future.

"We've fixed, see no indication of breach or misuse, and believe it's important for us to be open about this internal defect," Dorsey said in a tweet.

How long the bug was left undetected and how many passwords were affected by the glitch is unknown, but the company does not believe sensitive information left its internal servers or was harvested by a nefarious third party. According to Reuters, a person familiar with the matter said the number of passwords impacted by the bug is "substantial," adding that the information was exposed "for months." Twitter began to inform regulators of the bug when it was discovered a few weeks ago, the person said.

As a precautionary measure, Twitter is urging users to reset their Twitter passwords and any other service where the same code was used. The company also suggests using two-factor authentication and a password manager.

Following today's revelations, some users navigating to the service's homepage are seeing a pop-up message that includes notification of the problem and a direct link to system settings, where passwords can be updated.

While not a security breach, Twitter's password glitch adds to a growing pile of high-profile snafus from tech companies trusted with protecting user data. In many cases, services are targeted by hackers in an attempt to cull personal information. For example, MyFitnessPal in March suffered a breach that exposed usernames, email addresses and passwords of some 150 million accounts.



19 Comments

lkrupp 19 Years · 10521 comments

You know, what's the use of taking measures to protect one's privacy when big web services can't even protect your frick'n password?

cmd-z 8 Years · 69 comments

Amen. I hope someone responsible for such an egregious error is taken out behind the wood shed ...

cgWerks 8 Years · 2947 comments

Wow, I hadn't even heard about this anywhere else. Thanks!
Passwords changed for all accounts. :)

lkrupp said:
You know, what's the use of taking measures to protect one's privacy when big web services can't even protect your frick'n password?

Password Manager!!!
At least then you'll only ever have one account hacked no matter how bad of a job they do.

chasm 10 Years · 3626 comments

Who is still storing passwords in plain text in 2018? Idiots, that’s who.

Facebook: oops, data we sold ended up in the wrong hands!
Twitter: hold my beer ...