Unfortunately, password leaks are really common in the industry. On haveibeenpwned’s database there are thousands of millions of MySpace, LinkedIn, Adobe and Badoo usernames and passwords that have been hacked. Now, Twitter may soon be added to that dangerous list, as the passwords of its 336 million users might have been leaked.
Twitter has been storing all of its users’ passwords as plain text
This is what the social network has announced on its official support account. Twitter has confirmed that passwords were stored as plain text in an internal log due to a bug when managing passwords. So, any person who had access to that file would also have access to the username and password of every Twitter profile.
In the blog post about the bug, Twitter also took the opportunity to remind us how it encrypts passwords. In a nutshell, the process, which is called hashing, entails replacing what we type with a series of numbers and letter. The hashing is generated using a function, which in Twitter’s case is bcrypt. With this process, the encrypted content is fully protected against direct hacking, and it can only be accessed to with the key.
When we type our Twitter password, the social network actually does not know the content of the password. What we type is turned into a hash, and Twitter checks if that hash matches with the one in its database to grant us access.
However, it seems that Twitter made the mistake of having an internal log in plain text of the usernames and passwords that members introduced when logging in before they turned into hashes. This is really odd, and it shows that the social network’s security is not as good as it seemed. Besides, GitHub just admitted it had a similar bug that recorded passwords as plain text.
The social network claims that the data that was incorrectly stored has not been misused
Twitter confirms that it found out about the bug on its own, not a third-party, and that no leaked data has been found on the dark web. Once the company found he bug, it removed the passwords and the logs that were written in plain text, and it has fixed the bug to prevent it from happening again.
Twitter does not know if anyone had access to the file or for how long the bug had been active. After an internal investigation, Twitter claims that there is no indication of a security breach or misuse.
However, any employee might have had access to that file, and some other employees are unhappy with the company because hundreds of them were fired last year. So, anyone could have made a copy of the database and sold it on the dark web, meaning that our password could be now in the hands of some hacker.
Therefore, Twitter (and us) has started to prompt its users to preemptively change their passwords as soon as possible. You should do this for Twitter and any other account with which you used the same email and password (which is something that we should not do to avoid a similar situation). It is also advisable to activate the two-factor authentication to prevent someone who has the password from getting access to our account.