Microblogging site Twitter announced on Thursday that it has been hit by a bug that stored passwords unmasked in an internal log, forcing the company to decimate all hashed passwords from its system. There has been “no indication of a breach or misuse” per Twitter's investigation. In any case, Twitter is now urging all of its users to change their account passwords as soon as possible to safeguard their privacy and security.
Twitter explained in a blog post that the issue occurred during the hashing process where the actual passwords are replaced with a random set of alphanumerics that are saved in Twitter’s system. Once the user logs account credentials, the system validates it without divulging the actual password. In this case, the bug had found its way in and had written the passwords to an internal log before Twitter’s system completed the hashing process. The social network managed to track down the bug a few weeks ago and decided to remove the hashed passwords from its servers to prevent any potential leak. Twitter may be confident that no breach or misuse is taking place, all the same, it is urging users to not let their guard down and to consider performing changes in their passwords. In addition, the company recommended a few measures to take in order to secure one's account. Twitter suggested changing passwords on any other service where the user may have used a similar password on Twitter, and avoid using generic or identical passwords on other websites. It also advised users to enable login verification or two-factor authentication to strengthen account security and use a password manager to further ensure strong, distinct passwords. In light of the issue, Twitter has apologized to its users and has guaranteed everyone that it is now carrying out the necessary steps to avert this bug from striking again down the line.
Meanwhile, Twitter previously acknowledged that it gave user data to Global Science Research (GSR), a marketing company based in San Francisco, California, which is run by Aleksandr Kogan, the academic psychologist and data scientist at the center of Facebook's Cambridge Analytica scandal. However, Twitter has clarified that GSR did not have access any private information about its users.