Twitter urges all users to change ‘unmasked’ passwords after bug discovered
Twitter did not specify how many passwords were exposed or how long the glitch made data vulnerable to snooping.
Twitter on Thursday urged its more than 300 million users to change their passwords, saying they had been unintentionally "unmasked" inside the company by a software bug.
The social media site said it found no sign that hackers accessed the exposed data, but advised users to change their passwords to be safe.
Twitter practice is to store passwords encrypted, or "hashed," so they are masked to even people inside the company, Twitter chief technology officer Parag Agrawal explained in a blog post.
We recently found a bug that stored passwords unmasked in an internal log. We fixed the bug and have no indication of a breach or misuse by anyone. As a precaution, consider changing your password on all services where you've used this password. https://t.co/RyEDvQOTaZ— Twitter Support (@TwitterSupport) May 3, 2018
"Due to a bug, passwords were written to an internal log before completing the hashing process," he said.
"We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again."
The San Francisco-based internet company did not specify how many passwords were exposed or how long the glitch made data vulnerable to snooping.
"Out of an abundance of caution, we ask that you consider changing your password on all services where you've used this password," Agrawal told users.
"We are very sorry this happened," he said.
The stumble comes as the sector faces intense scrutiny over the protection of personal data online, in the wake of the Cambridge Analytica scandal which saw information from tens of millions of Facebook users hijacked and misused.
Twitter shares ebbed about a percent to $30.36 in after-market trades that followed word of the password mishap.
Better to change
Going public with a security slip and getting users to take precautions is preferable to remaining mum and hoping no data was taken, according to independent technology industry analyst Rob Enderle.
"When in doubt, it is better to have people change passwords than to be wrong," Enderle said.
"With security, it is always better to err on the side of caution."
The analyst thought it unlikely people would abandon Twitter simply for being asked to change passwords.
"Openly admitting our mistakes quickly, learning, and moving on," Twitter co-founder and chief executive Jack Dorsey said in a tweet that including a link to Agrawal's blog post.
"I love my teammates."
Out of the red
Twitter last week reported its second consecutive quarterly profit, boosting the outlook for the platform after years in the red.
The social network earned $61 million in the first three months of the year, helped by strong growth in advertising revenue and modest gains in users.
First quarter revenues rose 21 percent from a year ago to $665 million, and the key metric of monthly active users increased by six million from late last year to 336 million.
Dorsey said while discussing earnings that recent changes made to the service have helped "engagement," a measure of how often people turn to the social network and how long they stay.
While Twitter has built a solid core base of celebrities, politicians and journalists, it has failed to match the broader appeal of Facebook and other social platforms, hurting its ability to bring in ad revenues.
The network has stepped up efforts to boost its user base and engagement, adding streaming video partnerships, doubling the character limit on tweets to 280 and making it easier to create "tweetstorms" by stringing messaging together.