Twitter is urging its more than 330 million users to change their passwords after the company discovered a glitch that caused some of them to be stored in plain readable text on its internal computer system rather than being obscured by a process known as “hashing”, as is standard practice. While Twitter says its investigation showed that there was no evidence that any breach or misuse of the unmasked passwords occurred, the company is recommending that users change their passwords out of an “abundance of caution,” both on the site itself and any other website or service where they use the same password.
According to the company’s blog, the bug occurred due to an issue in the hashing process that masks passwords by replacing them with a random string of characters that get stored on Twitter’s system. But due to an error with the system, apparently, passwords were being saved in plain text to an internal log, instead of masking them with the hashing process. Twitter claims to have found the bug on its own and removed the unhashed passwords. The blog did not say how many passwords were affected. Reuters reported that a person familiar with the company’s response said the number was “substantial” and that they were exposed for “several months.” Twitter discovered the bug a few weeks ago and has reported it to some regulators, the Reuters report added.
Mishandling user data
The disclosure by the company comes at a time where regulators and lawmakers around the world are scrutinizing digital platform on the ways they handle user data, especially following revelations that Facebook (Twitter’s biggest competitor) failed to stop a third party political consulting firm, Cambridge Analytica, from accessing data from 87 million users without their consent.
The European Union is due later this month to start enforcing a strict new privacy law, the General Data Protection Regulation, that includes steep fees for violators. The US Federal Trade Commission, which investigates companies accused of deceptive practices related to data security, had settled with Twitter in 2010 over accusations the site had “serious lapses” in data security that let hackers access private user data on two occasions. The settlement called for audits of Twitter’s data security program every other year for 10 years.
Should you change your password?
Yes, you probably should. Twitter states that your passwords have not been inappropriately accessed, the company is asking users to ‘consider’ changing their passwords rather than enforcing them to do so which may happen in case of a breach. But it is advisable to change passwords to not fall victim to any possible leak of this unhashed password database that Twitter has not discovered. Another essential action that most users should take is set up Two-Factor Authentication which is available to all Twitter users, this will keep you secure even if your password is improperly accessed by others. Many users chose to have the same passwords across multiple services and platforms (something I have been guilty of before) therefore if you are changing your Twitter password it is recommended that you do the same on all other platforms that share the same password.