SAN FRANCISCO (CNET) — Twitter is advising users to change their passwords after discovering a glitch that stored passwords unmasked in an internal log. The company says it fixed the bug and there is no indication of a breach or misuse.
Still, it’s urging its 330 million users to change their passwords as a precaution.
The issue appeared through a bug in Twitter’s password hashing. It’s a standard security practice for companies to encrypt passwords to store on its internal servers. So if your password is “12345” — which we highly recommend against — it wouldn’t show up on the website’s database as “12345,” but rather a random mix of numbers and letters representing each character.
Twitter said it stored encrypted passwords using a hashing algorithm called bcrypt. But the social network had stored the password in plain-text before it was encrypted. Twitter said this happened because of a bug. The company did not respond to a request for comment to clarify what the bug was.
Those passwords were kept on an internal log before Twitter discovered and deleted them. The company said it was “implementing plans to prevent this bug from happening again.”
While Twitter said it doesn’t believe the passwords had been lost in a breach or misused, passwords on internal logs are designed to be encrypted so that employees with access at the company can’t see it either.
If Twitter had suffered a breach, hashed passwords would have provided an extra layer of protection.