What Happened With Twitters Bug And Why It Told Everyone To Change Their Passwords

“Out of an abundance of caution” Twitter advised all users Thursday to change their passwords.

The appeal, though, wasnt because it was hacked or infiltrated. Rather, it was due to the social media company recently discovering that account information like passwords were left exposed, albeit internally.

The culprit: “a bug.”

Due to an error in Twitters computers system, “passwords were written to an internal log before completing the hashing process,” Twitter CTO Parag Agrawal wrote on a company blog post first disclosing the situation. “We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.”

Agrawal explained that company procedure is to “mask” passwords through hashing, which will replace the actual password with an obscure set of numbers, letters, and potentially other characters to be stored. The passwords in this instance, however, were never obfuscated through the hashing process.

Twitter is sure to claim that its investigation “shows no indication of breach or misuse by anyone.”

But people may never really be able to tell for sure — at least until someone accesses the several other accounts that sync with Twitter.

“This is a huge deal because Twitter is often used as a single sign-on mechanism into other websites,” George Avetisov, CEO of HYPR, a biometric security firm, told The Daily Caller News Foundation. “A compromised Twitter password may be used to login on completely unrelated websites.”

Despite Twitters outward confidence of the bugs dubious consequences, Aleksandr Yampolskiy, co-founder of SecurityScorecard, a company that monitors and grades the cybersecurity health of any organization, says “we dont know,” and Twitters actions, or lack thereof, are telling of the potential repercussions.

“Having an unencrypted password in the logs certainly increases the chances of that happening,” Yampolskiy said in regards to the chances of individuals information being exposed. “Even if an attacker compromised Twitters systems — if the passwords are properly protected, hed have to reverse the hash, which is a very hard and often impossible process. In this case, however, he wouldnt have to do it.”

There is also the possibility, Yampolskiy conjectured, that “a system administrator working for Twitter can see cleartext passwords and reveal them outside if he was unscrupulous.”

Regardless of whether passwords were compromised, Agrawal outlined and encouraged a number of ways to increase the security of ones account, including two-factor authentication — a mechanism that multiple tech experts told TheDCNF is superior to most others.

To cybersecurity experts like Avetisov and Yampolskiy that on its own is not enough.

“Twitter should have mandated two-factor authentication by now, but its still optional,” said Avetisov. “While this isnt a silver bullet, it certainly makes hacking a users account much more difficult.”

Yampolskiy thinks people will view a plea from the platform to change their passwords as “a big inconvenience.”

“It will be interesting to see users reaction to this,” he continued.

A spokeswoman for Twitter told TheDCNF that they are “not forcing a password reset but are presenting the information for people to make an informed decision about their account.”

“We believe this is the right thing to do,” the company representative said. Without a compulsion to do so, people may not exercise the best cybersecurity practices, which is of course a responsibility of users, but one that will also ultimately spill culpability onto Twitter — whether fair or not.

Yampolskiy also agrees with Avetisov, arguing that two-factor authentication should be set up by default, and not merely advocated for.

Agrawal said he and Twitter are sorry that this happened, but also added that they “didnt have to” share such information and levy a request for people to change their passwords.

Im sorry that this happened, but am proud to work at a company that puts people who use our service first.

— Parag Agrawal (@paraga) May 3, 2018

He eventually also apologized for the “mistake” of saying they had no obligation of disclosure.

I should not have said we didnt have to share. I have felt strongly that we should. My mistake.

— Parag Agrawal (@paraga) May 3, 2018

How much Twitter really “puts people who use” their service first isnt explicit since, according to Yampolskiys SecurityScorecard, it lags behind peers in the technology industry at least for the past year.

Still, Avetisov says that social media companies in general “are not particularly well known or praised for their cybersecurity practices.”

“Although internal practices and employee access may be held to a high regard, the user security has not kept up,” he continued. “LinkedIn had one of the worst password breaches of all time and Facebooks recent privacy woes are not helping the narrative that social media giants value user account security.”

Follow Eric on Twitter

Send tips to [email protected].

Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact [email protected].


The daily caller


Related Articles


Pressed by COVID-19 and low oil prices, Nigeria slips into recession

africanews– Nigeria, Africa’s biggest economy, entered recession for the second time in...


EU Reeling From Yellow Vest Protests. What Happens if There Is a Debt Crisis?

There is a lot of talk about which economic bubble will burst...


EU Reeling From Yellow Vest Protests. What Happens if There Is a Debt Crisis?

There is a lot of talk about which economic bubble will burst...


Till Trump do they part: Top tech firms cut ties with Huawei following US trade blacklisting

Last week, US President Donald Trump signed an executive order aimed at...