If you’re a Twitter user, you’ve likely already got the message: It’s time to reset your password.
Twitter announced on May 3 that it discovered an issue in its system that exposed user passwords to potential risk. The social network company began advising users late in the afternoon with an advisory, email messages sent to registered addresses and, of course, via Twitter itself.
“We recently found a bug that stored passwords unmasked in an internal log,” Twitter wrote. “We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password.”
Somewhat ironically, Twitter reported the password issue on what has been declared World Password Day. In a blog post, Twitter CTO Parag Agrawal explained the circumstances behind the password issue, which shares a striking similarity to another recently disclosed issue at GitHub.
“We mask passwords through a process called hashing using a function known as bcrypt, which replaces the actual password with a random set of numbers and letters that are stored in Twitter’s system,” Agrawal wrote. “This allows our systems to validate your account credentials without revealing your password.”
The problem was that a bug in Twitter’s system enabled plain text passwords to be read and stored by a log before the passwords were hashed with bcrypt, Agrawal said. He emphasized that Twitter found the flaw on its own and has already taken steps to prevent a reoccurrence of the flaw.
GitHub made a similar announcement on May 1, alerting its users that it had discovered a bug that exposed users’ passwords to the company’s internal logging system.
Risks to Users
Twitter has stated that it is not aware of anyone either within Twitter or externally abusing or even accessing the passwords. That being the case, Twitter is still advising all of its users to update their passwords, out of an abundance of caution.
The fact the both GitHub and Twitter reported the same issue within days of each other could well indicate a potentially broader issue. While both companies could have simply misconfigured their systems, but perhaps there is an issue in an underlying software library or component used by both companies (and likely others). If that is the case, then expect to see other vendors, sites and services making disclosures in the days ahead about password resets.
Also of note is that Twitter has not identified how long the issue was present in its system. Whether the passwords were exposed for days, weeks, months or even years is simply not known publicly at this time. Even though Twitter does not believe the passwords were incorrectly accessed, the time horizon on the exposure will impact the risk profile.
What Users Should Do
Users need to take the first step of changing their Twitter password, as the company suggests. Given that there can be a tendency for some users to use the same password on multiple sites, Twitter also suggests that users change their password on any other service where they have the same password.
Twitter also recommends that users activate the login verification two-factor authentication (2FA) capabilities for their Twitter accounts. In December 2017, Twitter made it easier for users to active 2FA, providing new options beyond just SMS.
With 2FA, even if an attacker did get access to a user’s Twitter password, they still could not get access to the account without the 2FA credentials.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.