Twitter issued a security alert to its 336 million users on Thursday urging them to change their passwords. This is the result of a bug that caused some of the passwords to be stored in an internal log, unprotected.
Full details have not be revealed, however, they have announced the bug has new been fixed and their investigations into the matter indicated no breach has taken place. However, they are still urging users to change their account password, via settings. The bug was allowing user passwords to be stored on an internal log, unprotected and not masked by a hashing process known as bcrypt. It seems Twitter was logging passwords in plain text.
In a tweet, CEO Jack Dorsey reassured users:
“We’ve fixed, see no indication of breach or misuse, and believe it’s important for us to be open about this internal defect.”
What remains unclear is exactly how many passwords were affected and how long this went undetected. According to Reuters, the number was “substantial” and the issue was undetected “for months”.
Today, many users are being met with a pop-up urging them to change their password.
