Twitter is urging all of its more than 330 million users to immediately change their passwords after a bug exposed them in plain text. While Twitter’s investigation showed that there was no evidence that any breach or misuse of the unmasked passwords occurred, the company is recommending that users change their Twitter passwords out of an “abundance of caution,” both on the site itself and anywhere else they may have used that password, which includes third-party apps like Twitterrific and TweetDeck.
The good news is, no, Twitter was not storing passwords in clear text (they use bcrypt and all for hashing, which is good). The bad news is, someone left debug code in production deployment, and that code logged passwords in clear text before the hashing phase, so yeah. Not good.
So it’s not really super-duper urgent like a breach but caution is still warranted.
This sounds like it should effect just a small window of a deployment of production code. I mean, I HOPE this wasn’t around across many production builds of their system…
We have no information on that, but it’s quite possible that it might be something that was there for a while. Maybe not, but at this point, it could have been there forever for all we know.
Anyway, change passwords, don’t reuse passwords, etc. The usual dance. Just to be safe. ;)
Probably the same ball was dropped with Github last week.
Why? To avoid being hacked by someone so they can spam my 20 followers (most of which are also spam)? :)
Does safety have intrinsic value, extrinsic to the value of the things it protects? ;)
Can I use your Twitter and Facebook to espouse my hate for certain minorities in your name?
The bigger issue isn’t Twitter. People who have your Twitter email and password will try to use that to log into any other number of sites, and have scripts to make testing a breeze. If you used this password for any other sites, change them.
Hey Scott, my password is *********** What’s yours? Dots will echo, as they say.
I know, I was joking. But I do use site specific passwords, unlike the general population, so I am not overly concerned either.
One tip I’ll share for anyone curious is to use a password manager to store your passwords into a database for easy access so you can more readily access all your unique passwords. I recommend one that lets you export the database to a file with the password clearly listed, like KeePassX, because you can do what I did when I found out about Twitter - export and search for any password that matched. I had actually found 2 others, one of which was using the same username (email address) even, though it was only Gamestop Rewards. I changed all three just to be on the safe side.