Twitter announced today (May 3) that it had accidentally "unmasked" user passwords by storing them unencrypted in an internal log file.
The company didn't say how many user accounts were involved or how long the possible exposure lasted. But the company did say it had fixed the mistake and that there was no evidence the passwords were ever accessed without authorization, or that there was any kind of data breach.
How long the "unmasking" lasted is crucial. If it was one day, you probably needn't worry about changing your password. If it was six months, you should consider it, just as a precaution. If the passwords lay exposed for 10 years, then you definitely need to. But as of now, Twitter isn't saying.
The least you should do is to turn on Twitter's two-factor authentication option, or "login verification," if you haven't already. Click or tap your Twitter icon on the website or mobile app and select "Settings and Privacy" from the resulting menu. Select "Login verification" under Security on the website, or Account > Security on the mobile app, and follow the directions to set up two-factor authentication.
The website also gives you the option to "require personal information to reset your password," such as by providing an email address or a phone number, and you should choose that option.
"We recently found a bug that stored passwords unmasked in an internal log," stated a tweet from the official Twitter Support account at 4:04 pm EDT Thursday. "We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password."
A linked blog posting explained that Twitter normally "hashes" passwords using the Bcrypt hashing algorithm, which is very strong and has never been compromised to our knowledge.
Hashes are a form of one-way encryption — input of any length results in a seemingly irreversible jumble of letters and numbers. Most online services keep hashes of user passwords instead of the passwords themselves. When you log in, whatever you enter in the password field is quickly run through the same hashing algorithm and then compared to your hashed password on file.
"Due to a bug, passwords were written to an internal log before completing the hashing process," the blog posting states. "We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again."
The posting goes on to say that users should change their passwords on Twitter and anywhere else they'd use their Twitter passwords, and that the replacement password should be strong and unique. It also recommends using a password manager.
Again, we don't know how long the file with the plaintext passwords existed, so we have no idea how much risk you run if you don't change your password. The fact that Twitter suggests you do could indicate that the risk is serious — or that the company is simply covering its butt. But changing your Twitter password probably couldn't hurt.
Best Identity Protection
Get it. IdentityForce UltraSecure+Credit is the best overall service for both credit monitoring and identity protection. It also protects your account with two-factor authentication.
Best Data Monitoring
It's worth it. Get LifeLock Ultimate Plus if you're very worried about having your identity stolen and you also need antivirus software. But you can get better credit monitoring for less with IdentityForce UltraSecure+Credit.
Good, but not the best. Identity Guard isn't bad, but for about the same price, IdentityForce UltraSecure+Credit offers more comprehensive personal-data and credit-file monitoring.