On May 3 Twitter announced that they had uncovered and fixed a bug that had resulted in user’s passwords being stored in plaintext. No information has been released on how many users were affected, and all users are being recommended to change their passwords. If all users were in fact compromised, this would be the one of the largest known data breaches in history.
On May 3 Twitter announced that they had uncovered and fixed a bug that had resulted in user’s passwords being stored in plaintext in an internal log. No information has been released on how many users were affected, and all users are being recommended to change their passwords, and change passwords on all services that use the same password. If all users were in fact compromised, this would be one of the largest known data breaches in history.
In the announcement post Twitter engineering states that they have no reason to believe passwords had been compromised: When you set a password for your Twitter account, we use technology that masks it so no one at the company can see it. We recently identified a bug that stored passwords unmasked in an internal log. We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone. Out of an abundance of caution, we ask that you consider changing your password on all services where you’ve used this password.
The company is presenting this as an abundance of caution and deliberate openness, with Twitter CEO Jack Dorsey tweeting: We recently discovered a bug where account passwords were being written to an internal log before completing a masking/hashing process. We’ve fixed, see no indication of breach or misuse, and believe it’s important for us to be open about this internal defect.
In a previous security incident in 2013, Twitter took the additional step of resetting passwords for impacted users. The more advisory rather than enforced approach to passwords this time around may indicate they are more confident in the lack of breach. In that incident they identified external hacking attempts, and a more targeted set of users: Our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users. As a precautionary security measure, we have reset passwords and revoked session tokens for these accounts.
Even if no external breaches occurred, Twitter has previously faced questions regarding the level of access employees have to user accounts. In December 2017, an outgoing support employee temporarily deleted President Trump’s account. In that case, experts challenged the level of internal controls Twitter had in place. In a CNN technology article at that time, Charles Riley and Rishi Iyengar said: The fact that one worker was able to take down the president’s account left people asking whether Twitter has appropriate internal controls. The early consensus seems to be “no.”
Twitter has not stated how many passwords were stored in this internal log, nor how many employees had access to it. Consequently users should act on the assumption that every password could have leaked in plain text, and change not only their twitter password but also passwords on any accounts that use the same password.
Twitter does not make public how many registered users they have, preferring to report on ‘monthly active users’. However, a 2016 article on the Motley Fool indicates that in the 2016 Q3 investor call, Twitter claimed over 700 million ‘yearly active users’. Using 700 million as a conservative number for the total accounts, a breach of all Twitter accounts would be one of the largest security breaches in history. A 2018 accounting of the top data breaches shows Yahoo at the top with 3 billion user accounts compromised, followed by Adult Friend Finder at 412.2 million, which would put Twitter in 2nd place in terms of size, though a leak of passwords is far less impactful than the personal information leaked in the Equifax Breach in 2017.