Twitter admitted Thursday that it fixed a bug that stored passwords in plain text in an internal log, stressing that the information in that log was contained within Twitter’s systems and no passwords were compromised.
Chief technology officer Parag Agrawal revealed the bug fix in a blog post, saying that while the social network’s investigation “shows no indication of breach or misuse by anyone,” Twitter still suggested that users consider changing their passwords on its network and anywhere else where the same passwords were used.
A Twitter spokesperson echoed that advice, telling Zack Whittaker of ZDNet, “Since this is not a breach and our investigation has shown no signs of misuse, we are not forcing a password reset but are presenting the information for people to make an informed decision about their account. We believe this is the right thing to do.”
Agrawal explained that Twitter masks passwords via a process called hashing, using a function referred to as bcrypt, which replaces actual passwords with random numbers and letters when they are stored in Twitter’s system, enabling the social network to validate account credentials without revealing passwords.
He wrote, “Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords and are implementing plans to prevent this bug from happening again.”
Security experts were still critical of Twitter, however.
HYPR CEO George Avetisov said, “Passwords are only part of a much bigger problem: how our information is stored. Passwords, usernames and payment credentials (what hackers want) are often stored on one central database, creating a single point of failure—a hacker’s favorite target. When a data breach occurs, a hacker that obtains these credentials from one company (say, Panera ) can also access other accounts using the same credentials, even if those companies have not been hacked (say, Macy’s).”
SecurityScorecard co-founder and CEO Aleksandr Yampolskiy added, “I would not call it a bug: It’s pretty bad oversight. This is a 101 basic for cybersecurity to make sure that passwords for users are encrypted with a strong encryption algorithm like AES-256. The big danger of keeping clear text passwords is that any one employee with access to a database can remember these passwords. Users very often reuse passwords on other sites like Gmail, Yahoo and online banking, so knowing a user’s clear text password could allow you access to other sensitive info.”