On Thursday, Twitter chief technology officer Parag Agrawal disclosed in a blog post[1] that the company had inadvertently recorded user passwords, in plaintext, in an internal system. This is not how things are supposed to go! And while Twitter has fixed the bug, and doesn't think any of the exposed passwords were accessed in any way, you should still change your Twitter password[2] right now to make sure your account is secure.
"It's a bad thing and Twitter should be held to the fire for it," says David Kennedy, CEO of the penetration testing firm TrustedSec. "But they are taking the right steps by requesting everyone change their password and making the bug public versus hiding it."
Companies generally protect user passwords by scrambling them in a cryptographic process known as hashing[3]. As Agrawal explained, Twitter does this, too, using a well-regarded hash function called bcrypt. But a bug caused Twitter to accidentally store passwords unprotected in some type of internal log before its password management system finished hashing them. The system would then complete the hash, and everything would look fine, even though the passwords were readable in the log. While it's great that Twitter eventually realized the situation and is taking steps to ensure that it never happens again, it's disconcerting that such a fundamental flaw in a crucial user protection existed in the first place.
"I’m sorry that this happened," Agrawal wrote on Twitter after posting the announcement. "We are sharing this information to help people make an informed decision about their account security. We didn’t have to, but believe it’s the right thing to do." The disclosure came on World Password Day.
'Twitter should be held to the fire for it.'
David Kennedy, TrustedSec
It's true