It is alarming, but yet nothing to worry about… just a few precautions to take. The micro blogging service- Twitter- discovered a bug that left the passwords of users in an internal log “unmasked”. This means that instead of showing up as an encrypted set of random sets of letters and numbers, the password itself was displayed in plain text.
In a blog post released by the social media company, it was revealed that a bug had been identified that caused the password hashing process (which replaces your password with a random string of letters and numbers) to fail, leaving the unmasked passwords of its users stored in an internal log.
Twitter is urging all of its more than 330 million users to immediately change their passwords after a bug exposed them in plain text. The bug occurred due to an issue in the hashing process that masks passwords by replacing them with a random string of characters that get stored on Twitter’s system. But due to an error with the system, apparently passwords were being saved in plain text to an internal log, instead of masking them with the hashing process.
Even though the company says it has no reason to believe anyone obtained any sensitive information, it is telling users to change their current password “out of an abundance of caution.”
Twitter claims to have found the bug on its own and removed the passwords. It’s working to make sure that similar issues don’t come up again. In a statement explaining that we found the glitch ourselves, and did not find any “breach or misuse by anyone,” Twitter said in a blog post.
HOW TO CHANGE YOUR TWITTER PASSWORD
On the web: Go to Twitter.com, click your profile image in the upper right, choose Settings and privacy and then when the next page loads, select Password in the list running down the left side. Twitter will ask for your existing password and then your new one. Use a strong, unique password. And never repeat them between multiple services, apps, and online accounts.
From the mobile app: Tap your profile photo at the upper left and choose Settings and privacy. Then Account, followed by Change password. Again, ensure that your new password is used exclusively for your Twitter account.
HOW TO ENABLE LOGIN VERIFICATION (TWO-FACTOR AUTHENTICATION)
A password alone isn’t enough of a wall between you and people with tech smarts and bad intentions. Aside from changing your Twitter password, locking down your account to the fullest extent possible requires enabling the company’s login verification feature.
This two-factor authentication process can either send a code to your mobile phone number whenever a new device attempts signing into your account with the correct password. Or you can generate your own code within a third-party app made for that specific purpose — like Authy. The latter approach is safer since SMS itself can be compromised.
Turning on login verification from the web:
- Click your profile icon, then click Settings and privacy.
- Choose Account and then set up login verification. On mobile, there’s an extra step here where you’ll have to tap on the Security section inside Settings and privacy.
- Read the overview instructions, then click Start.
- Enter your password and click Verify.
- Click Send code to add your phone number if that’s the verification method you want.
- Enter the verification code sent to your phone, hit Submit, and login verification will then be enabled.
In general, it’s worth taking some time to critically set up passwords. Consider switching over to a password manager, and also avoid repeating passwords across services. That way, when leaks like this happen, you can avoid the worst of the damage.