Twitter Passwords Exposed: Change Yours Right Now

• Copy link
• Facebook
• X
• Reddit
• Email

Share this article

3

Join the conversation

Follow us

Add us as a preferred source on Google

Newsletter

Get the Tom's Guide Newsletter

Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!

Become a Member in Seconds

Unlock instant access to exclusive member features.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

---

By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

---

Want to add more newsletters?

Daily (Mon-Sun)

Tom's Guide Daily

Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.

Signup +

Weekly on Thursday

Tom's AI Guide

Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!

Signup +

Weekly on Friday

Tom's iGuide

Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.

Signup +

Weekly on Monday

Tom's Streaming Guide

Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.

Signup +

---

Join the club

Get full access to premium articles, exclusive features and a growing list of member rewards.

Explore

---

An account already exists for this email address, please log in.

Subscribe to our newsletter

Twitter announced today (May 3) that it had accidentally "unmasked" user passwords by storing them unencrypted in an internal log file.

The company didn't say how many user accounts were involved or how long the possible exposure lasted. But the company did say it had fixed the mistake and that there was no evidence the passwords were ever accessed without authorization, or that there was any kind of data breach.

How long the "unmasking" lasted is crucial. If it was one day, you probably needn't worry about changing your password. If it was six months, you should consider it, just as a precaution. If the passwords lay exposed for 10 years, then you definitely need to. But as of now, Twitter isn't saying.

MORE: Here's the One Gmail Setting You Should Activate Now

The least you should do is to turn on Twitter's two-factor authentication option, or "login verification," if you haven't already. Click or tap your Twitter icon on the website or mobile app and select "Settings and Privacy" from the resulting menu. Select "Login verification" under Security on the website, or Account > Security on the mobile app, and follow the directions to set up two-factor authentication.

The website also gives you the option to "require personal information to reset your password," such as by providing an email address or a phone number, and you should choose that option.

"We recently found a bug that stored passwords unmasked in an internal log," stated a tweet from the official Twitter Support account at 4:04 pm EDT Thursday. "We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password."

A linked blog posting explained that Twitter normally "hashes" passwords using the Bcrypt hashing algorithm, which is very strong and has never been compromised to our knowledge.

Hashes are a form of one-way encryption — input of any length results in a seemingly irreversible jumble of letters and numbers. Most online services keep hashes of user passwords instead of the passwords themselves. When you log in, whatever you enter in the password field is quickly run through the same hashing algorithm and then compared to your hashed password on file.

MORE: Essential Tips to Avoid Getting Hacked

"Due to a bug, passwords were written to an internal log before completing the hashing process," the blog posting states. "We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again."

The posting goes on to say that users should change their passwords on Twitter and anywhere else they'd use their Twitter passwords, and that the replacement password should be strong and unique. It also recommends using a password manager.

Again, we don't know how long the file with the plaintext passwords existed, so we have no idea how much risk you run if you don't change your password. The fact that Twitter suggests you do could indicate that the risk is serious — or that the company is simply covering its butt. But changing your Twitter password probably couldn't hurt.

Best Identity Protection