Twitter finds bug, advises changing passwords

Sean Reid
May 4, 2018

Users who opened their accounts Thursday evening received a prompt from Twitter asking them to consider changing their password on all services where they used the password.

In a blog post, Twitter Chief Technology Officer Parag Agrawal wrote that Twitter uses the bcrypt hashing function, based on Bruce Schneier's Blowfish encryption algorithm, to store mathematical representations of passwords. To secure accounts and protect its users, Twitter took a couple of measures, including locking suspected accounts and or sending emails to them to reset passwords. "This is an industry standard".

The company went on to explain the bug, saying that during the hashing process, passwords were being written to a log.

TwitterSupport just tweeted that something bad has happened about passwords or encryption or something and even though they say it's fixed, you never know what former superpower might have indentured bot people sneaking around trying to pilfer your data.

Twitter has urged all users to consider changing their password.

"We recognise and appreciate the trust you place in us, and are committed to earning that trust every day".

A more detailed explanation of the issue can be seen below, or on the official Twitter blog. (But really, change your password.) Agrawal neglects to mention that we Twitter users didn't choose to have our passwords potentially compromised.

While the bug is fixed, and they claim there has been no evidence breach or misuse, I say, better safe than sorry.

So should I change my Twitter password? When you log in, whatever you enter in the password field is quickly run through the same hashing algorithm and then compared to your hashed password on file.

For more protection on your account, you can also activate two-factor authentication.

Now click "Account" and select "Set up login verification".

Use a password manager to make sure you're using strong, unique passwords everywhere.

Bonus 1: Set up third-party verification app You can also choose third-party applications such as Duo Mobile, Authy or Google Authenticator to get the verification code.

Other reports by

Discuss This Article