San Francisco/New Delhi, May 4 : Twitter has urged its 336 million users to change their passwords after the company discovered a bug that stored passwords in plain text in an internal system.
“As a precaution”, Twitter on Thursday recommended its users to consider changing their password on all services where they have used the same password.
The company also assured it has fixed the problem and have seen “no indication of breach or misuse”, the Guardian reported.
On trying to login, a pop-up message said: “Keeping your account secure. When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it.
“We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone.
“Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password.”
“We are very sorry this happened,” said Twitter’s Chief Technology Officer, Parag Agrawal, in a blogpost. “We recognise and appreciate the trust you place in us, and are committed to earning that trust every day.”
Companies with good security practices typically store user passwords in a form that cannot be read.
In Twitter’s case, passwords are masked through a process called hashing, which replaces the actual password with a random set of numbers and letters that are stored in the company’s system, the Gaurdian reported.
“This allows our systems to validate your account credentials without revealing your password,” said Agrawal. “This is an industry standard.”
“Due to a bug, passwords were written to an internal log before completing the hashing process. We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.”
In an initial tweet, Agarwal said the company did not have to tell users about the bug, but nevertheless did. But on receiving criticism for saying so, he followed it up with an apology, the Time reported.
“I should not have said we didn’t have to share. I have felt strongly that we should. My mistake,” he tweeted.
Twitter’s CEO Jack Dorsey tweeted that he believes “it’s important for us to be open about this internal defect”.
Agrawal advised people to change their passwords, enable two-factor authentication on their Twitter account and use a password manager to create strong, unique passwords on every service they use.