Twitter Failed to Store Passwords Securely, Advises Users to Update Theirs Immediately

Twitter announced this afternoon that they had “recently identified a bug that stored passwords unmasked in an internal log” — with the information in plain text instead of in an encrypted format — and advised all users to immediately change their passwords.

In a post on the company’s blog, Twitter said that the bug had been fixed, and “our investigation shows no indication of breach or misuse by anyone.”

“Out of an abundance of caution,” they urged, “we ask that you consider changing your password on all services where you’ve used this password.”

According to Axios, the announcement from Twitter, which came just before markets closed for the day, caused Twitter stock to drop 2.5% within minutes.

The reason that it is industry standard to store sensitive data like passwords in an encrypted format is that it reduces the risk from both external hacking and from internal breaches — even if the data is accessed by someone with ill intent, it still won’t be useable to them.

The timing so soon after recent reports about Facebook’s privacy issues undoubtedly invites more scrutiny on the social media network.

In addition to encouraging users to change their passwords, Twitter also encouraged users to enable login verification, and make sure they were using a unique password they were not using for other sites or apps.

As a friendly reminder, much of the long-accepted common wisdom about making complicated passwords has been shown to be less effective than having a longer one but that you can easily remember. There is an xkcd comic that illustrates the point well, that “correcthorsebatterystaple” — a password of four random but real words — is easier to remember than the gibberish ones with mixes of capitalized letters, numbers, and symbols.

Good luck, everyone. (And yes, I’ve already changed my password, so @rumpfshaker is secure.)

Follow Sarah Rumpf on Twitter: @rumpfshaker