A bug was discovered on Twitter’s internal computer system that unintentionally exposed user passwords as they were stored unmasked in an internal log.
Twitter disclosed this issue on an official blog post and in a series of Tweets form Twitter Support:
We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you’ve used this password. https://t.co/RyEDvQOTaZ
— Twitter Support (@TwitterSupport) May 3, 2018
Twitter hashes passwords using a function known as bcrypt. It replaces an actual password with a random set of numbers and letters and then stored inside their computer systems. This allows the social media company to validate users’ credentials without exposing actual passwords in a way that even Twitter employees can’t see them.
When the bug was discovered, an internal investigation conducted right away and they found no indication that this was exploited or was caused by an insider breach.
“We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again. We are very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.” Twitter CTO Parag Agrawal said.
With this, consider changing your Twitter password and enable 2-factor authentication just to be on the safe side.