Twitter has recommended its 336 million users change their passwords after the company discovered a bug that stored passwords in plain text in an internal system.
Twitter said it has since fixed the issue. Although the company said there is no evidence that passwords have been leaked or misused, it is urging its users to update their passwords.
“As a precaution, consider changing your password on all services where you’ve used this password,” thecompany tweeted.
“We are very sorry this happened,” said Twitter’s chief technology officer, Parag Agrawal, in a blogpost.
Twitter did not specify how many passwords were stored there.
Twitter said it has since fixed the issue. Although the company said there is no evidence passwords have been leaked or misused, it is urging its users to update their passwords.
The blogpost explains that Twitter will mask the passwords via hashing using a function known as bcrypt. In this, the actual password is replaced with set of numbers, letters, which are then stored in the Twitter system. These are used to confirm account credentials without revealing the actual password. Hashing of passwords is a common industry practice.
“Due to a bug, passwords were written to an internal log before completing the hashing process. They found this error themselves, removed the passwords, and are implementing plans to prevent this bug from happening again.
Agrawal advises people to change their passwords, enable two-factor authentication on their Twitter account and use a password manager to create strong, unique passwords on every service they use.
Also twitter is prompting users to change their passwords via a pop-up window on the site that explains the nature of the bug and links to their Settings page.